Digging in

Unable to move my cluster group from node A to Node B and cluster.log analysis

I have a 2 node MSCS quorum based cluster and was unable to move my cluster group from node 17 to node16 manually from cluadmin. So let’s have a look and the very first thing one will do is look at cluster.log and event logs…we at Microsoft will grab a quick cluster mps reports to see detailed information. So I quickly ran cluster mps on both nodes and that grabbed all the log files in cab file which I can look into now.

Link for cluster mps

http://download.microsoft.com/download/b/b/1/bb139fcb-4aac-4fe5-a579-30b0bd915706/MPSRPT_CLUSTER.EXE

now from my cluster mps reports I quickly outlined a few things that will come handy in my analysis

ffbc99dc-0432-4bc4-89bc-90c5899b99d1----------Cluster IP Address {IP Address}

c6b92a6f-6190-4ec2-b34f-c9a834c8b8f7----------Disk Q: {Physical Disk}

3fa17b2e-a365-4c5d-8fde-460c74deaaf6----------Cluster Name {Network Name}

==========================================================================================

Cluster Disk Driver Parameters

==========================================================================================

Available Disk Signatures

-------------------------

Current Used Disk Signatures

----------------------------

1. E098B1A3

2. E098B1A2

3. C39BA6F5

4. AF4763FD

5. 09C073AC

6. 09C073A8

Cluster.log Node 17

00000468.00000128::2009/03/18-12:19:10.651 INFO [FM] FmpDoMoveGroup: Entry—we moved the cluster group from node 17 to node 16 and whenever we do this we see FmpDoMoveGroup in the cluster.log so you can search for DoMove if you want to check in cluster.log when we moved the group and what happened after that

00000468.00000128::2009/03/18-12:19:10.651 INFO [FM] FmpMoveGroup: Entry

00000468.00000128::2009/03/18-12:19:10.651 INFO [FM] FmpPickNodeFromPreferredListAtRandom: Picking node for group 9d4fae4b-7dba-44f1-992a-0ecf1502e654 [Cluster Group1], suggested node 1...cluster group was on node 2 originally and here node 1 is being suggested as this is a 2 node cluster

00000468.00000128::2009/03/18-12:19:10.651 INFO [FM] FmpPickNodeFromPreferredListAtRandom: Node 1 for group 9d4fae4b-7dba-44f1-992a-0ecf1502e654 is user preferred...this guid belongs to cluster group and as you see ---00000c50.00000c30::2009/01/06-14:06:03.226 OBRENAME "Group" "9d4fae4b-7dba-44f1-992a-0ecf1502e654" "Cluster Group"—I got this information from cluster.oml file

00000468.00000128::2009/03/18-12:19:10.651 INFO [FM] FmpPickNodeFromPreferredListAtRandom: Selected node 1 for group 9d4fae4b-7dba-44f1-992a-0ecf1502e654...

00000468.00000128::2009/03/18-12:19:10.651 INFO [FM] FmpMoveGroup: Moving group 9d4fae4b-7dba-44f1-992a-0ecf1502e654 to node 1 (1)—we are moving cluster group to node 1

00000468.00000128::2009/03/18-12:19:10.651 INFO [FM] FmpOfflineResource: Cluster Name depends on Cluster IP Address. Shut down first.—as cluster IP is dependent on cluster name we need to bring cluster name offline before cluster ip

00000468.00000128::2009/03/18-12:19:10.651 INFO [FM] FmpOfflineResource: Offline resource <Cluster Name> returned pending

00000874.00000c04::2009/03/18-12:19:10.651 INFO [RM] RmpSetResourceStatus, Posting state 3 notification for resource <Cluster Name>

00000468.00000774::2009/03/18-12:19:10.651 INFO [FM] NotifyCallBackRoutine: enqueuing event

00000874.00000c04::2009/03/18-12:19:10.651 INFO Network Name <Cluster Name>: Resource is now offline

00000874.00000b80::2009/03/18-12:19:10.651 INFO IP Address <Cluster IP Address>: Taking resource offline...

00000874.00000b80::2009/03/18-12:19:10.651 INFO IP Address <Cluster IP Address>: Deleting IP interface 4.

00000874.00000b80::2009/03/18-12:19:10.651 INFO IP Address <Cluster IP Address>: Address 172.23.96.221 on adapter Intel(R) PRO/1000 CT Network Connection offline.

00000874.00000b80::2009/03/18-12:19:10.651 INFO IP Address <exchange IP Address>: All resources offline - cleaning up

00000874.00000b90::2009/03/18-12:19:10.651 ERR IP Address <exchange IP Address>: WorkerThread: GetClusterNotify failed with status 6.

To check what this function GetClusterNotify do let’s have a look at msdn

http://msdn.microsoft.com/en-us/library/aa369623(VS.85).aspx

00000874.000004c4::2009/03/18-12:19:10.666 INFO Physical Disk <Disk Q:>: Offline, Dismounting volume \Device\Harddisk1\Partition1.—now we are dismounting the quorum

00000874.00000828::2009/03/18-12:19:10.666 INFO Physical Disk: [PnP] Event GUID_IO_VOLUME_DISMOUNT for Q (Partition1) - Received

00000874.00000828::2009/03/18-12:19:10.666 INFO Physical Disk: [PnP] Event GUID_IO_VOLUME_DISMOUNT for Q (Partition1) - Processed

00000874.000004c4::2009/03/18-12:19:10.666 INFO Physical Disk <Disk Q:>: Offline, Dismount complete, volume \Device\Harddisk1\Partition1.

00000874.000004c4::2009/03/18-12:19:10.666 INFO Physical Disk <Disk Q:>: DiskCleanup started.

00000874.000004c4::2009/03/18-12:19:10.666 INFO Physical Disk <Disk Q:>: [DiskArb] StopPersistentReservations is called---here cluster node 2 release arbitration on quorum so that other node can reserve it

Persistent Reserve refers to a set of Small Computer Systems Interface-3 (SCSI-3) standard commands and command options which provide SCSI initiators with the ability to establish, preempt, query, and reset a reservation policy with a specified target device. The functionality provided by the Persistent Reserve commands is a superset of the reserve/release commands.

00000874.000004c4::2009/03/18-12:19:10.666 INFO Physical Disk <Disk Q:>: [DiskArb] Stopping reservation thread.

00000874.00000a4c::2009/03/18-12:19:10.666 INFO Physical Disk <Disk Q:>: [DiskArb] CompletionRoutine, status 0.

00000874.000004c4::2009/03/18-12:19:10.666 INFO Physical Disk <Disk Q:>: [ArbCleanup] Verifying sector size.

00000874.000004c4::2009/03/18-12:19:10.666 INFO Physical Disk <Disk Q:>: [ArbCleanup] Reading arbitration block.

00000874.000004c4::2009/03/18-12:19:10.666 INFO Physical Disk <Disk Q:>: [DiskArb] Successful read (sector 12)

00000874.000004c4::2009/03/18-12:19:10.666 INFO Physical Disk <Disk Q:>: [ArbCleanup] Writing arbitration block.

00000874.000004c4::2009/03/18-12:19:10.666 INFO Physical Disk <Disk Q:>: [DiskArb] Successful write (sector 12) [:0] (0,00000000:00000000).

00000874.000004c4::2009/03/18-12:19:10.666 INFO Physical Disk <Disk Q:>: [ArbCleanup] Returning status 0.

00000874.000004c4::2009/03/18-12:19:10.666 INFO Physical Disk <Disk Q:>: [DiskArb] StopPersistentReservations is complete.

00000874.000004c4::2009/03/18-12:19:10.666 INFO Physical Disk <Disk Q:>: DisksDismountDrives: letter mask is 00010000.

00000874.000004c4::2009/03/18-12:19:10.666 INFO Physical Disk <Disk Q:>: DiskCleanup returning final error 0

00000874.00000828::2009/03/18-12:19:10.666 INFO Physical Disk: [PnP] Event GUID_IO_VOLUME_UNLOCK for Q (Partition1) - Received

00000874.00000828::2009/03/18-12:19:10.666 INFO Physical Disk: [PnP] Event GUID_IO_VOLUME_UNLOCK for Q (Partition1) - Processed

00000874.000004c4::2009/03/18-12:19:10.666 INFO Physical Disk <Disk Q:>: Offline, Returning final error 0.—error 0 means successfull

00000874.00000828::2009/03/18-12:19:10.666 INFO Physical Disk <Disk Q:>: [PnP] Stop watching PnP events for disk 9c073a8—this is the disk signature of quorum drive

00000874.00000828::2009/03/18-12:19:10.666 WARN Physical Disk <Disk Q:>: [PnP] RemoveDisk: WatchedList is empty

00000874.00000828::2009/03/18-12:19:10.666 INFO Physical Disk <Disk Q:>: [PnP] Stop watching disk 9c073a8 - processed

00000874.00000130::2009/03/18-12:19:10.666 INFO Physical Disk <Disk Q:>: DiskCleanup started.

00000874.00000130::2009/03/18-12:19:10.666 INFO Physical Disk <Disk Q:>: [DiskArb] StopPersistentReservations is called.

00000874.00000130::2009/03/18-12:19:10.666 INFO Physical Disk <Disk Q:>: [DiskArb] StopPersistentReservations is complete.

00000874.00000130::2009/03/18-12:19:10.666 INFO Physical Disk <Disk Q:>: DiskCleanup returning final error 0

00000468.00000ce4::2009/03/18-12:19:10.666 INFO [CP] CppResourceNotify for resource Disk Q:

00000468.00000ce4::2009/03/18-12:19:10.666 INFO [FM] RmTerminateResource: c6b92a6f-6190-4ec2-b34f-c9a834c8b8f7 is now offline

So here our quorum goes offline for node 2 ---c6b92a6f-6190-4ec2-b34f-c9a834c8b8f7----------Disk Q: {Physical Disk}

00000468.00000330::2009/03/18-12:19:10.682 INFO [FM] FmpCompleteMoveGroup: Completing the move for group Cluster Group1 to node 1 (1)

00000468.00000330::2009/03/18-12:19:10.682 INFO [FM] FmpCompleteMoveGroup: Take group 9d4fae4b-7dba-44f1-992a-0ecf1502e654 request to remote node 1—now we going to node 1 so that it can take over the cluster group

00000468.00000330::2009/03/18-12:19:10.729 WARN [NM] RpcExtErrorInfo: Error info not found.

00000468.00000330::2009/03/18-12:19:10.729 INFO [FM] FmpCompleteMoveGroup: Remote node asked us to resend take group request for group 9d4fae4b-7dba-44f1-992a-0ecf1502e654 to another node ..

00000468.00000330::2009/03/18-12:19:10.729 INFO [FM] Set membership mask of 0x0 returns status 1

00000874.000006f4::2009/03/18-12:19:10.729 INFO Physical Disk <Disk Q:>: [DiskArb] Wait for offline thread to complete...

00000874.000006f4::2009/03/18-12:19:10.729 INFO Physical Disk <Disk Q:>: [DiskArb]------- DisksArbitrate -------.

00000874.000006f4::2009/03/18-12:19:10.729 INFO Physical Disk <Disk Q:>: [DiskArb] DisksOpenResourceFileHandle: Attaching to disk with signature 9c073a8

00000874.000006f4::2009/03/18-12:19:10.729 INFO Physical Disk <Disk Q:>: [DiskArb] DisksOpenResourceFileHandle: Disk unique id present trying new attach

00000874.000006f4::2009/03/18-12:19:10.729 INFO Physical Disk <Disk Q:>: [DiskArb] DisksOpenResourceFileHandle: Retrieving disk number from ClusDisk registry key

00000874.000006f4::2009/03/18-12:19:10.729 INFO Physical Disk <Disk Q:>: [DiskArb] DisksOpenResourceFileHandle: Retrieving handle to PhysicalDrive1

00000874.000006f4::2009/03/18-12:19:10.729 INFO Physical Disk <Disk Q:>: [DiskArb] DisksOpenResourceFileHandle: Returns success.

00000874.000006f4::2009/03/18-12:19:10.729 INFO Physical Disk <Disk Q:>: [DiskArb] Arbitration Parameters: ArbAttempts 5, SleepBeforeRetry 500 ms.

00000874.000006f4::2009/03/18-12:19:10.729 INFO Physical Disk <Disk Q:>: [DiskArb] Read the partition info to insure the disk is accessible.

00000874.000006f4::2009/03/18-12:19:10.729 INFO Physical Disk <Disk Q:>: [DiskArb] Issuing GetPartInfo on signature 9c073a8.

00000874.000006f4::2009/03/18-12:19:10.729 INFO Physical Disk <Disk Q:>: [DiskArb] GetPartInfo completed, status 0.

00000874.000006f4::2009/03/18-12:19:10.729 INFO Physical Disk <Disk Q:>: [DiskArb] Arbitrate for ownership of the disk by reading/writing various disk sectors.

00000874.000006f4::2009/03/18-12:19:10.729 INFO Physical Disk <Disk Q:>: [DiskArb] Successful read (sector 12) [:0] (0,00000000:00000000).

00000874.000006f4::2009/03/18-12:19:10.729 INFO Physical Disk <Disk Q:>: [DiskArb] Successful write (sector 11) [BLR3R07-17:0] (0,be247638:01c9a7c3).

00000874.000006f4::2009/03/18-12:19:10.729 INFO Physical Disk <Disk Q:>: [DiskArb] Successful read (sector 12) [:0] (0,00000000:00000000).

00000874.000006f4::2009/03/18-12:19:10.729 INFO Physical Disk <Disk Q:>: [DiskArb] Successful write (sector 12) [BLR3R07-17:0] (0,be247638:01c9a7c3).

00000874.000006f4::2009/03/18-12:19:10.729 INFO Physical Disk <Disk Q:>: [DiskArb] Successful read (sector 11) [BLR3R07-17:0] (0,be247638:01c9a7c3).

00000874.000006f4::2009/03/18-12:19:10.729 INFO Physical Disk <Disk Q:>: [DiskArb] Issuing Reserve on signature 9c073a8.

00000874.000006f4::2009/03/18-12:19:10.729 INFO Physical Disk <Disk Q:>: [DiskArb] Reserve completed, status 0.

00000874.000006f4::2009/03/18-12:19:10.729 WARN Physical Disk <Disk Q:>: [DiskArb] Assume ownership of the device.

00000874.00000a4c::2009/03/18-12:19:10.729 INFO Physical Disk <Disk Q:>: [DiskArb] CompletionRoutine starts.

00000874.000006f4::2009/03/18-12:19:10.729 INFO Physical Disk <Disk Q:>: [DiskArb] Arbitrate returned status 0.

00000874.00000a4c::2009/03/18-12:19:10.729 INFO Physical Disk <Disk Q:>: [DiskArb] Posting request to check reserve progress.

00000468.00000330::2009/03/18-12:19:10.729 INFO [FM] FmpNotifyGroupStateChangeReason: Notifying group Cluster Group1 [9d4fae4b-7dba-44f1-992a-0ecf1502e654] of state change reason 3...

00000874.00000a4c::2009/03/18-12:19:10.729 INFO Physical Disk <Disk Q:>: [DiskArb] ********* IO_PENDING ********** - Request to insure reserves working is now posted.

00000468.00000330::2009/03/18-12:19:10.729 INFO [FM] FmpOnlineResourceList: Previous quorum resource state for c6b92a6f-6190-4ec2-b34f-c9a834c8b8f7 is 2

00000468.00000330::2009/03/18-12:19:10.729 INFO [FM] FmpOnlineResourceList: trying to bring quorum resource c6b92a6f-6190-4ec2-b34f-c9a834c8b8f7 online, state 3

00000874.00000090::2009/03/18-12:19:10.729 INFO Physical Disk <Disk Q:>: [DiskArb] DisksOpenResourceFileHandle: Returns success.

00000874.00000090::2009/03/18-12:19:10.729 INFO Physical Disk <Disk Q:>: Online, Wait for async cleanup worker thread in ClusDisk to complete.

00000874.00000090::2009/03/18-12:19:10.729 INFO Physical Disk <Disk Q:>: Online, Send Offline IOCTL to all existing volumes, then Online IOCTL.

00000874.00000090::2009/03/18-12:19:10.744 INFO Physical Disk <Disk Q:>: Online, Recreate volume information from cluster database.

00000874.00000090::2009/03/18-12:19:10.776 INFO Physical Disk <Disk Q:>: DiskspCheckPathLite: Volume name \\?\Volume{57acdc20-dbdb-11dd-a9a5-00123f25504d}\

00000874.00000090::2009/03/18-12:19:10.776 INFO Physical Disk <Disk Q:>: DisksMountDrives: calling IsAlive function.

00000874.00000090::2009/03/18-12:19:10.776 INFO Physical Disk <Disk Q:>: DriveIsAlive called for Online check

00000874.00000090::2009/03/18-12:19:10.776 INFO Physical Disk <Disk Q:>: DriveIsAlive checking quorum drive to insure cluster directory accessible.

00000874.00000090::2009/03/18-12:19:10.776 INFO Physical Disk <Disk Q:>: DiskspCheckPath: Open Q:\MSCS\3586de39-46af-4072-9ffc-4c3a32ddf614\00000001.CPT succeeded.

00000874.00000090::2009/03/18-12:19:10.776 INFO Physical Disk <Disk Q:>: DiskspCheckPath: Open Q:\MSCS\chkCD1.tmp succeeded.

00000874.00000090::2009/03/18-12:19:10.776 INFO Physical Disk <Disk Q:>: DiskspCheckPath: Open Q:\MSCS\clusdbb1 succeeded.

00000874.00000090::2009/03/18-12:19:10.776 INFO Physical Disk <Disk Q:>: DiskspCheckPath: Open Q:\MSCS\clusdbb1.LOG succeeded.

00000874.00000090::2009/03/18-12:19:10.776 INFO Physical Disk <Disk Q:>: DiskspCheckPath: Open Q:\MSCS\quolog.log succeeded.

00000874.00000090::2009/03/18-12:19:10.776 INFO Physical Disk <Disk Q:>: DriveIsAlive checking that file system is not corrupt. If so, chkdsk may run.

00000874.00000090::2009/03/18-12:19:10.776 INFO Physical Disk <Disk Q:>: DisksIsVolumeDirty: Volume is clean

00000874.00000090::2009/03/18-12:19:10.776 INFO Physical Disk <Disk Q:>: DisksMountDrives: letter mask is 00010000.

00000874.00000090::2009/03/18-12:19:10.776 INFO Physical Disk <Disk Q:>: DisksMountDrives: creating admin share names.

00000874.00000090::2009/03/18-12:19:10.776 INFO Physical Disk <Disk Q:>: Online, Insure mount point information is correct.

00000874.00000090::2009/03/18-12:19:10.776 INFO Physical Disk <Disk Q:>: Offset String

00000874.00000090::2009/03/18-12:19:10.776 INFO Physical Disk <Disk Q:>: ================ ======================================

00000874.00000090::2009/03/18-12:19:10.776 INFO Physical Disk <Disk Q:>: 0000000000007E00 \??\Volume{57acdc20-dbdb-11dd-a9a5-00123f25504d}

00000874.00000090::2009/03/18-12:19:10.776 INFO Physical Disk <Disk Q:>: *** End of list ***

00000874.00000090::2009/03/18-12:19:10.776 INFO Physical Disk <Disk Q:>: SetupVolGuids: Processing VolGuid list

00000874.00000090::2009/03/18-12:19:10.776 INFO Physical Disk <Disk Q:>: Online, Retrieve and validate the disk serial number.

00000874.00000090::2009/03/18-12:19:10.776 INFO Physical Disk <Disk Q:>: Online, Old SerNum (DF600-00A ) Old SerNumLen (16)

00000874.00000090::2009/03/18-12:19:10.776 INFO Physical Disk <Disk Q:>: Online, New SerNum (DF600-00A ) New SerNumLen (16)

00000874.00000090::2009/03/18-12:19:10.776 INFO Physical Disk <Disk Q:>: Online, Trying to get Disk unique ids .

00000874.00000090::2009/03/18-12:19:10.791 INFO Physical Disk <Disk Q:>: Online, returning final error 0 ResourceState 2 Valid 1

00000874.00000828::2009/03/18-12:19:10.791 INFO Physical Disk <Disk Q:>: [PnP] Start watching PnP events for disk 9c073a8 - processed

00000874.000006f4::2009/03/18-12:19:11.291 INFO IP Address <Cluster IP Address>: Bringing resource online...

00000468.00000330::2009/03/18-12:19:11.291 INFO [FM] FmpPropagateResourceState: resource ffbc99dc-0432-4bc4-89bc-90c5899b99d1 pending event.

00000468.00000330::2009/03/18-12:19:11.291 INFO [FM] FmpRmOnlineResource: Resource ffbc99dc-0432-4bc4-89bc-90c5899b99d1 pending

00000468.00000330::2009/03/18-12:19:11.291 INFO [FM] FmpRmOnlineResource: Returning. Resource ffbc99dc-0432-4bc4-89bc-90c5899b99d1, state 129, status 997.

00000468.00000330::2009/03/18-12:19:11.291 INFO [FM] FmpOnlineResourceList: Previous resource state for 3fa17b2e-a365-4c5d-8fde-460c74deaaf6 is 2

00000468.00000330::2009/03/18-12:19:11.291 INFO [FM] FmpOnlineResourceList: trying to bring resource 3fa17b2e-a365-4c5d-8fde-460c74deaaf6 online

00000468.00000330::2009/03/18-12:19:11.291 INFO [FM] OnlineResource: 3fa17b2e-a365-4c5d-8fde-460c74deaaf6 depends on ffbc99dc-0432-4bc4-89bc-90c5899b99d1. Bring online first.

00000874.00000d70::2009/03/18-12:19:11.291 INFO IP Address <Cluster IP Address>: Online: Registered notification for netinterface 2a6976f9-af64-4d00-af1c-62381c96b776.

00000874.00000d70::2009/03/18-12:19:13.510 INFO IP Address <Cluster IP Address>: IP Address 172.23.96.221 on adapter Intel(R) PRO/1000 CT Network Connection online

00000874.00000eac::2009/03/18-12:19:13.510 INFO Network Name <Cluster Name>: Bringing resource online...

00000874.00000eac::2009/03/18-12:19:14.369 INFO Network Name <Cluster Name>: Registered server name CLUS157442 on transport \Device\NetBt_If3.

00000874.00000eac::2009/03/18-12:19:14.557 INFO Network Name <Cluster Name>: Registered workstation name CLUS157442 on transport \Device\NetBt_If3.

00000874.00000eac::2009/03/18-12:19:14.557 INFO Network Name <Cluster Name>: Network Name CLUS157442 is now online

Cluster group came back online on node 17 as node 16 was unable to arbitrate the quorum

Now let’s see what we see on node 16

Cluster.log Node 16

00000db8.00000d7c::2009/03/18-12:19:10.568 INFO [FM] GUM update group 9d4fae4b-7dba-44f1-992a-0ecf1502e654, state 3—this is cluster group

00000db8.00000d7c::2009/03/18-12:19:10.568 INFO [FM] New owner of Group 9d4fae4b-7dba-44f1-992a-0ecf1502e654 is 2, state 3, curstate 0.

00000db8.00000d7c::2009/03/18-12:19:10.568 INFO [GUM] s_GumUpdateNode: completed update seq 3362 type 0 context 9

00000db8.00000d7c::2009/03/18-12:19:10.568 INFO [GUM] s_GumUpdateNode: dispatching seq 3363 type 0 context 11

00000db8.00000d7c::2009/03/18-12:19:10.568 INFO [GUM] s_GumUpdateNode: completed update seq 3363 type 0 context 11

00000db8.00000d7c::2009/03/18-12:19:10.568 INFO [GUM] s_GumUpdateNode: dispatching seq 3364 type 0 context 8

00000db8.00000d7c::2009/03/18-12:19:10.568 INFO [FM] Gum update resource 3fa17b2e-a365-4c5d-8fde-460c74deaaf6, state 3, current state 2.

00000db8.00000d7c::2009/03/18-12:19:10.568 INFO [GUM] s_GumUpdateNode: completed update seq 3364 type 0 context 8

00000db8.00000d7c::2009/03/18-12:19:10.568 INFO [GUM] s_GumUpdateNode: dispatching seq 3365 type 1 context 4099

00000db8.00000d7c::2009/03/18-12:19:10.568 INFO [DM] DmWriteToQuorumLog Entry Seq#=3365 Type=4099 Size=162

00000db8.00000d7c::2009/03/18-12:19:10.568 INFO [DM] DmUpdateDeleteValue

00000db8.00000d7c::2009/03/18-12:19:10.568 INFO [DM] DmWriteToQuorumLog Entry Seq#=3365 Type=4099 Size=162

00000db8.00000d7c::2009/03/18-12:19:10.568 INFO [GUM] s_GumUpdateNode: completed update seq 3365 type 1 context 4099

00000db8.00000d7c::2009/03/18-12:19:10.568 INFO [GUM] s_GumUpdateNode: dispatching seq 3366 type 0 context 8

00000db8.00000d7c::2009/03/18-12:19:10.568 INFO [FM] Gum update resource ffbc99dc-0432-4bc4-89bc-90c5899b99d1, state 3, current state 2.

00000db8.00000d7c::2009/03/18-12:19:10.568 INFO [GUM] s_GumUpdateNode: completed update seq 3366 type 0 context 8

00000db8.00000d7c::2009/03/18-12:19:10.568 INFO [GUM] s_GumUpdateNode: dispatching seq 3367 type 0 context 8

00000db8.00000d7c::2009/03/18-12:19:10.568 INFO [FM] Gum update resource c6b92a6f-6190-4ec2-b34f-c9a834c8b8f7, state 130, current state 2.

00000db8.00000d7c::2009/03/18-12:19:10.568 INFO [GUM] s_GumUpdateNode: completed update seq 3367 type 0 context 8

00000db8.00000d7c::2009/03/18-12:19:10.568 INFO [GUM] s_GumUpdateNode: dispatching seq 3368 type 0 context 9

00000db8.00000d7c::2009/03/18-12:19:10.568 INFO [FM] GUM update group 9d4fae4b-7dba-44f1-992a-0ecf1502e654, state 1

00000db8.00000d7c::2009/03/18-12:19:10.568 INFO [FM] New owner of Group 9d4fae4b-7dba-44f1-992a-0ecf1502e654 is 2, state 1, curstate 0.

Here we are updating the state of the resource via GUM update

ffbc99dc-0432-4bc4-89bc-90c5899b99d1----------Cluster IP Address {IP Address}

c6b92a6f-6190-4ec2-b34f-c9a834c8b8f7----------Disk Q: {Physical Disk}

3fa17b2e-a365-4c5d-8fde-460c74deaaf6----------Cluster Name {Network Name}

00000db8.00000d7c::2009/03/18-12:19:10.599 INFO [FM] FmsTakeGroupRequest: To take group '9d4fae4b-7dba-44f1-992a-0ecf1502e654'.

00000db8.00000d7c::2009/03/18-12:19:10.599 INFO [FM] FmpTakeGroupRequest: To take group '9d4fae4b-7dba-44f1-992a-0ecf1502e654'.—node 1 being requested to take cluster group

00000e38.00000ab4::2009/03/18-12:19:10.599 INFO Physical Disk <Disk Q:>: [DiskArb] Wait for offline thread to complete...

00000e38.00000ab4::2009/03/18-12:19:10.599 INFO Physical Disk <Disk Q:>: [DiskArb]------- DisksArbitrate -------.node 1 trying to arbitrate quorum

00000e38.00000ab4::2009/03/18-12:19:10.599 INFO Physical Disk <Disk Q:>: [DiskArb] DisksOpenResourceFileHandle: Attaching to disk with signature 9c073a8

00000e38.00000ab4::2009/03/18-12:19:10.599 INFO Physical Disk <Disk Q:>: [DiskArb] DisksOpenResourceFileHandle: Disk unique id present trying new attach

00000e38.00000ab4::2009/03/18-12:19:10.599 ERR Physical Disk <Disk Q:>: [DiskArb] Signature of disk has changed or failed to find disk with id, old signature 0x9c073a8 new signature 0x9c073a8, status 2

00000e38.00000ab4::2009/03/18-12:19:10.646 ERR Physical Disk <Disk Q:>: SCSI: Attach, error attaching to signature 9c073a8, error 2.—err 2 path not valid

00000e38.00000ab4::2009/03/18-12:19:10.646 ERR Physical Disk <Disk Q:>: Arbitrate: Unable to attach to signature 9c073a8. Error: 2.

00000db8.00000d7c::2009/03/18-12:19:10.646 INFO [MM] MmSetQuorumOwner(0,0), old owner 1.

00000db8.00000d7c::2009/03/18-12:19:10.646 INFO [FM] FmpTakeGroupRequest: MM did not select local node 1 as the arbitration winner, Status 2

We were not able to arbitrate quorum on node 1 and we failed due to reservation

00000db8.00000d7c::2009/03/18-12:19:10.646 INFO [FM] FmpTakeGroupRequest: MM did not select local node 1 as the arbitration winner, Status 2

00000db8.00000d7c::2009/03/18-12:19:10.646 INFO [FM] FmpTakeGroupRequest: Exit for group <9d4fae4b-7dba-44f1-992a-0ecf1502e654>, Status = 1237...

What happened here..aah we see some time skew on both nodes as seen in cluster.log…which is as we see following event logs

Type: Error

Date: 03/18/2009

Time: 4:59:03 PM

Event ID: 29

Source: W32Time

User: N/A

Type: Information

Date: 03/18/2009

Time: 4:59:04 PM

Event ID: 37

Source: W32Time

Node 16

http://support.microsoft.com/kb/875424

http://support.microsoft.com/kb/830092

lets search on support.microsoft.com for any known issue..found these 2 kb articles..however none of them applies as I am already on sp2 and we are not using local quorum feature of cluster. Then what’s the issue…we are sure it is something to do on storage side on quorum.

911030 A cluster node failover does not work when you use SCSI-3-compliant persistent reservations in Windows Server 2003 SP1

http://support.microsoft.com/default.aspx?scid=kb;EN-US;911030

888160 Cluster is formed by using a local quorum resource after a cluster setup failure in Windows Server 2003

http://support.microsoft.com/default.aspx?scid=kb;EN-US;888160

I went ahead and stopped the cluster service on node 17 and put clusdisk driver on demand in device manager ..so now quorum is not under the control of node 17 but quorum still may have reservation on it which is not getting cleared somehow. Node 16 was still not able to arbitrate quorum and I tried restarting cluster service on node 16 twice but no help. I went back to node 17 ..restored the cluster service and clusdisk driver on demand ….we got our failed cluster online again.

I am now more convinced that this is a storage issue …how to fix my cluster now

One way I can go on storage and see for issues and troubleshoot there..but I dint want to go down to lab where our underlying san storage is present..so I will just change the destination of our quorum from Q:\ to k:\

I stopped the cluster service on node 16 from cluadmin. I had drive K in another group 1 and I moved it to cluster group…..right clicked on cluster name and selected drive k instead of Q for quorum. Restarted cluster service on node 16 and both nodes are up….now I initiated a move group command for cluster group and Bingo!! It moved fine to node 16 . So we know for sure we were having reservation issue on quorum originally and node 16 was unable to clear that reservation.

Server 2003 Cluster service uses Reserve/Release SCSI SPC-2 reservations. Problems with reservations may cause problems with the Cluster service's ability to bring a physical disk resource online. In our case looks like quorum has an active persistent reservation even when node 17 was rebooted and that’s why node 16 was unable to clear it. The Cluster service does not manage persistent reservations. Therefore, the Cluster service cannot directly release or manage a persistent reservation.

If you experience a problem with a persistent reservation, you should contact the storage vendor or SAN administrator to help determine whether a problem exists. Generally, storage vendors have tools that you can use to help identify and change the properties of the storage objects. These tools include a tool to change reservations.

The information provided here is "AS IS"

Posted Wednesday, March 25, 2009 10:22 AM by ganand | 0 Comments

How to stop Chkdsk from running

I have seen so many customer requesting how to stop the chkdsk from checking the drive during boot time especially when they have luns in Tera bytes and they cannot afford chkdsk running and hitting the production and uptime of the server. There are 2 ways of stoppng it and another way to do it on cluster volumes. All the ways and related Microsoft support articles are mentioned below.

Steps for stopping chkdsk given below:

When running the chkdsk /f /r command, Windows prompts the administrator whether chkdsk should be scheduled to run the next time the system starts. To prevent the chkdsk /f /r command from running, follow these steps:

1. Start the Registry Editor.

2. Locate the following subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager

3. Change the BootExecute entry from autocheck autochk * /p \??\C: autocheck autochk * to autocheck autochk *.

If chkdsk was scheduled to run on multiple volumes, there is an autocheck entry for each volume. Repeat steps two and three of this procedure for each volume that should not be checked. To determine the volumes to be checked during the next startup process, view the entries in the BootExecute registry key.

Another way

The chkntfs /x command also adds a /k command-line switch before the asterisk. The /k option excludes volumes from being checked for the dirty bit.

For example, the command chkntfs /x d: modifies the default registry entry value to autocheck autochk /k:d *.

BootExecute Entries

Registry Value Function

/k:Volume * Excludes chkdsk from running against the volume

Command Examples

Sample Command Registry Entry Value

chkntfs d: e: /x Autocheck AUTOCHK /k:D /k:E *

for more information please have a look at the article given below

160963 CHKNTFS.EXE: What You Can Use It For

http://support.microsoft.com/default.aspx?scid=kb;EN-US;160963

the things change a little on cluster volumes

first way

The CHKDSK will be initiated when the clusdisk driver finds any inconsistency on the disk. It is recommended to run CHKDSK if cluster finds any inconsistency. Best procedure to run CHKDSK on the volume is to run in offline mode.

To run CHKDSK in offline mode, please follow the below procedure.

1. Keep the disk resource on passive node

2. Stop the cluster service on the node and mark the start-up type of the service to “Manual”

3. Open regedit

4. Locate the key “HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Clusdisk”

5. Select “Clusdisk” and will show parameter keys on the right side

6. Change the value of “Start” key to “4”

7. Restart the node

8. Once the system is back run “CHKDSK /f /r” on the disk resource from this node

Once the CHKDSK is finished, please follow the below procedure to bring the node back in to the cluster

1. From the services console mark the start-up type of the cluster service to “Automatic”

2. Open regedit

3. Locate the key “HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Clusdisk”

4. Select “Clusdisk” and will show parameter keys on the right side

5. Change the value of “Start” key to “1”

6. Restart the node

7. This will join the node back to the cluster.

second way

We have an easy way of running chkdsk on a cluster physical disk. Server 2008 and 2003 maintenance mode lets you do it and you need not to create downtime for whole cluster.

C:\Documents and Settings\Administrator>cluster.exe res "disk s:" /maint:1

Setting maintenance mode for resource 'disk s:'

Resource Group Node Status

-------------------- -------------------- --------------- ------

disk s: Group 1 BLR3R07-16 Online(Maintenance)

C:\Documents and Settings\Administrator>chkdsk s:

The type of the file system is NTFS.

Volume label is New Volume.

WARNING! F parameter not specified.

Running CHKDSK in read-only mode.

CHKDSK is verifying files (stage 1 of 3)...

To stop the CHKDSK running on the disk resource till we get the downtime to run the CHKDSK offline, please run the following command.

"cluster clustername res "Disk E" /priv Skipchkdsk=1"

Once we finish the CHKDSK offline please run the command “cluster clustername res "Disk E" /priv Skipchkdsk=0" to revert back the previous change.

For more details on How to run the "chkdsk /f" command on a shared cluster disk : <http://support.microsoft.com/default.aspx?scid=kb;EN-US;176970>

223023 Enhanced disk resource private properties when using Cluster Server

http://support.microsoft.com/default.aspx?scid=kb;EN-US;223023

The Information provided here is "AS IS"

Gaurav Anand

Posted Tuesday, March 17, 2009 12:38 PM by ganand | 1 Comments

Start up for some one who is not familiar with Read only domain controller RODC

What

=====

RODC is a new feature unleashed with windows server 2008. Read-only Domain Controllers differentiate from Domain Controllers with writable AD replica in three basic aspects:

- Read-only replica of AD database.

- On-demand replication of account passwords.

- Ability to delegate administrative rights independently on other read-only domain controllers or writable domain controllers.

Why

====

It is designed to minimize risks introduced by running Domain Controller in less-secure locations such as branch offices or extranet networks.

No changes to AD database content are possible on RODC. All objects in RODC AD replica are read-only and can change only by means of AD replication from an upstream domain controller.

The replication partner cannot be: - Pre-Longhorn Domain controller. - Another RODC.

Features

=========

RODC by default does not replicate passwords of user and computer accounts into its replica of AD database.

By limiting credential caching to only users who have authenticated to the RODC and are allowed by the Password Replication Policy to have credentials cached, the potential exposure of credentials by a compromise of the RODC is limited. This is because, typically, only a small subset of domain accounts has their credentials cached on any given RODC. Therefore, in the event that the RODC is stolen, only those credentials that are cached can become subject to any cracking attempt.

Password replication policy is the list of rules that specify which accounts can have passwords replicated to Read-only Domain controller. Every RODC has its own Password Replication policy – it is linked to the computer account of the Domain Controller.

Read-Only Domain Controller offers the possibility to delegate a certain level of access on single machine – without affecting any other domain controller in the domain of forest So the user account who has been delegated authority on RODC wont b able to access other domain controllers in domain.

Limitations

===========

RODC brings additional requirements to forest infrastructure. You cannot run RODC in a forest with Windows 2000 domain controllers.

RODC needs at least one full Longhorn DC in the domain. RODC cannot replicate from Windows 2003 domain controller and cannot bridge client authentication to Windows 2003 domain controller.

RODC cannot satisfy any write operations. All write operations are referred to full DC.

When connection to full Longhorn DC is broken, only users with credentials already cached on RODC are able to log on. Only resources having their passwords cached on RODC will be accessible.

RODC cannot be a Global Catalog

Prerequisites

==============

- Domain and Forest functional levels must be Windows 2003 or higher.

- Full Longhorn Domain Controller from the same domain must be a replication partner for RODC.

- PDC emulator FSMO role must be held by Full Longhorn Domain Controller.

- Longhorn Server ADPrep /rodcprep must be run.

RODC cannot be deployed in mixed Windows 2000/Windows 2003 environments.

Posted Saturday, April 26, 2008 10:25 AM by ganand | 0 Comments

Filed under: RODC

You will not get the option to reset Pin in bitlocker when using TPM+PIN+StartupKey protectors in vista sp1

Aah i dont write blogs in such a nice format but this was written for an another document and i am putting same copy-paste here to save time.Hope this helps.

=======

SYMPTOMS

When you are using TPM+PIN+StartupKey protector on vista sp1 bitlocker enabled vista client you will not get the option to reset the pin when you go to Bitlocker drive encryption applet in control panel. The only option you receive when you choose "select keys to manage" is duplicate the recovery passowrd.

CAUSE

This is by design. Please use manage-bde.wsf to delete the exiting TPM+PIN+StartupKey protector and then add a new one if you need to reset the PIN. The GUI shows resetting PIN option only when there is a TPM+PIN protector.

RESOLUTION

1 Open the command prompt with administrator privilege.
2 Type:- cd c:\windows\system32
3 Type:- cscript manage-bde.wsf -protectors -delete c: (where c: is the volume being protected)
4 This command will remove all key protectors unless you provide additional parameters.
5 Press enter
6 Type :- cscript manage-bde.wsf -protectors -add (volume to be protected, for eg. c: ) -rp -rk (volume to store recovery key, for eg. f:) -tpsk -tp (pin that you want to be set for eg. 1234) -tsk (volume where you want to store the startup key for eg. g:)
7 Finally the command will appear as:- cscript manage-bde.wsf -protectors -add c: -rp -rk f: -tpsk -tp 1234 -tsk g:
8 You have sucessfully reset the pin.

======

The Information provided here is "AS IS"

Gaurav Anand

Posted Saturday, April 26, 2008 10:17 AM by ganand | 1 Comments

Filed under: Bitlocker

What is this Raw File System

Sometimes a damaged volume may look like it lost its file system and CHKDSK tool will complain that file system is raw

The type of the file system is RAW.

this is a curious issue as seen here

=========

what the hell is a RAW file system?—

http://www.microsoft.com/technet/archive/community/columns/inside/techans9.mspx?mfr=true

what the hell is a RAW file system?—is easy enough to answer. It's simply a disk partition that has not been

formatted with an NT file system, neither FAT nor NTFS.

=========

so what is this raw or as said raw file system, it is nothing but a system supplied file system driver that is the

"last resort" for all I/O requests requiring file system support. When the I/O manager calls active file systems

to mount a volume, RAW is always called last because it supports all disk and tape media.

However, RAW supplies very primitive file handling capabilities. That is, it does not impose any on-disk file

structure or metadata structures for the information about the media; it simply allows read/write access

to the logical blocks on the physical disk. For example, it treats the whole disk as a single file and supplies

physical-disk-level access to the disk.

If a device is being driven in raw mode, it has no function driver and no upper or lower-level filter drivers.

All raw-mode I/O is done by the bus driver and optional bus filter drivers.

Note, however, that a bus driver does not handle read and write requests for the devices on its bus.

Read and write requests to a device are handled by the device's function driver only. Only if the device

is being used in raw mode does the parent bus driver handle reads and writes for the device.

ok the above extract is from DDK ...now lets see where can i see this happening

here you see that it is for rawtape, rawcdrom, rawdisk (I am using device and driver explorer here )

so how can i reproduce this issue--raw file system reported by chkdsk --we can use dskprobe from http://technet2.microsoft.com/WindowsServer/en/library/006902f1-bae9-4055-9ad2-123ea19006b71033.mspx

and repro this issue ( please do not try this on a production or home machine -you may loose data)

There are two places where we store file system information as seen below

1 MBR partition Table

2 Volumes' boot sector

When the file system information provided on these 2 sectors of disk is not good you may see chkdsk reporting raw file

system (though the data is still there)

A Raw volume is a volume that was never formatted and does not contain a File System

http://support.microsoft.com/kb/929662

so just to play i did same on my test machine and removed OEM ID string on D drives Volume boot sector and yes this is

my production machine containing lots of data, Now when i try to access D drive it asks do you want to format it...

..Of course NOT

As if we format we will lose all the data on D drive.

I tried running Chkdsk and you can see results below. It says, type of File System is raw. Chkdsk is not available for raw drives.

I reversed my changes using dskprobe again (added NTFS IN OEM ID string) and Yes my data is back and D drive is accessible.

===========================

Gaurav Anand

This posting is provided "AS IS" with no warranties, and confers no rights.

Posted Friday, February 22, 2008 1:15 PM by ganand | 15 Comments

NTFS Time Stamps --file created in 1601, modified in 1801 and accessed in 2008!!

Technorati Tags: NTFS

So many times we have seen Server Admins asking how to figure out whether someone accessed there

files or not or is it possible to play with NTFS time stamps or how exactly time stamps change and under

what scenarios. I have heard of this issue a lot and seen people enquiring on same, so i though lets play

with a test notepad file and see what Time stamps i can change and then what really happens in MFT.

To read more about Time stamps please refer the following public links.

========================

"How NTFS Works" (http://technet2.microsoft.com/WindowsServer/en/library/8cc5891d-bf8e-4164-862d-dac5418c59481033.mspx?mfr=true)

http://technet2.microsoft.com/WindowsServer/en/Library/80dc5066-7f13-4ac3-8da8-48ebd60b44471033.mspx?mfr=true

Description of NTFS date and time stamps for files and folders

http://support.microsoft.com/kb/299648

Time Stamps Change When Copying From NTFS to FAT

http://support.microsoft.com/kb/127830

========================

In quick short words

Last modified time relates to the last time an application modified the unnamed data attribute—what we

normally think of as “the file.”

Last entry modified stamp relates to an update or modification of any attribute—data, metadata, named streams, etc.

Last access is updated by activity involving a file, but the stamp is not updated unless the last access occurs

after a certain amount of time from the last update of the last access stamp.

Two metadata attributes of interest to investigators in the NTFS file system are the Master File Table (MFT)

$STANDARD_INFO and $FILE_NAME. Both attributes contain their own entry last modified timestamps. The

MFT $STANDARD_INFO attribute contains general information about a file such as flags, last accessed,

written, created times, owner, and security ID. The MFT $FILE_NAME attribute contains file name in Unicode,

and also the last accessed, written and created times.

We have four time stamps…M MODIFIED….A ACESSED…….C CREATED…E ENTRY MODIFED…known as MACE too sometimes.

so I created a test notepad file with the name ntfs.txt and i used a 3rd party utility timestomp.exe (from http://www.metasploit.com/projects/antiforensics/ ) to change the attributes of my file which was otherwise

created today i.e. 19th feb, 2008.

C:\>TimeStomp ntfs.txt -c "Monday 7/25/1601 5:15:55 AM"

C:\>TimeStomp ntfs.txt -m "Monday 7/25/1701 5:15:55 AM"

C:\>TimeStomp ntfs.txt -a "Monday 7/25/1801 5:15:55 AM"

------------------------------------------------

now i checked in explorer and to my surprise I have a file which was created in year 1601 (much before i was born,NTFS

file system was born, computers were born) wow!!

Now i used another tool named NFI ( http://support.microsoft.com/kb/q253066/ ) to see the attributes and grab the

file record segment of the file ntfs.txt

------------------------------------

C:\Documents and Settings\ganand\Desktop\mike\ntfs\tools>nfi c:\ntfs.txt

NTFS File Sector Information Utility.

\ntfs.txt

$STANDARD_INFORMATION (resident)

$FILE_NAME (resident)

$DATA (resident)

I haven't wrote anything in the ntfs.txt till now and that why i don't see an $OBJECT_ID entry..so i wrote some garbage

text in it and saved it.

C:\Documents and Settings\ganand\Desktop\mike\ntfs\tools>nfi c:\ntfs.txt

NTFS File Sector Information Utility.

\ntfs.txt

$STANDARD_INFORMATION (resident)

$FILE_NAME (resident)

$OBJECT_ID (resident)

$DATA (resident)

aaaah now i see $OBJECT_ID attribue too (The $OBJECT_ID attribute has a type identifier of 64 and stores a file's

128-bit global object identifier that can be used to address the file instead of its name. This allows a file to be found

even when its name is changed.)

but the problem is i need to find out where on disk (on which sector) this file is being written to and NFI is not giving

me any output for same....what to do????

ohh i figured out that all the attributes and specially data attribute is resident..so i filled lot of garbage data in ntfs.txt and save it.

tried NFI again and finally got what i was looking for---------------

C:\Documents and Settings\ganand\Desktop\mike\ntfs\tools>nfi c:\ntfs.txt

NTFS File Sector Information Utility.

\ntfs.txt

$STANDARD_INFORMATION (resident)

$FILE_NAME (resident)

$OBJECT_ID (resident)

$DATA (nonresident)

logical sectors 88364256-88364263 (0x54454e0-0x54454e7)

logical sectors 115305560-115305567 (0x6df6c58-0x6df6c5f)

------------------------------

now from sector I can get the File record segment of this file-------------------

C:\Documents and Settings\ganand\Desktop\mike\ntfs\tools>nfi c: 88364256

NTFS File Sector Information Utility.

***Logical sector 88364256 (0x54454e0) on drive C is in file number 44650.------------converting into hexa decimal

------------AE6A------44650

\ntfs.txt

$STANDARD_INFORMATION (resident)

$FILE_NAME (resident)

$OBJECT_ID (resident)

$DATA (nonresident)

logical sectors 88364256-88364263 (0x54454e0-0x54454e7)

logical sectors 115305560-115305567 (0x6df6c58-0x6df6c5f)

----------------------------

Now i wanted to look at the attributes using another NTFS utility------------------------------

STANDARD_INFORMATION {

CreationTime :0x0000a114ff05fb80 07/24/1601 23:45:55.0000-------------------though this makes sense

LastModificationTime :0x01c872de3753158f 02/19/2008 10:00:11.0655-----------------why this --aaah because

i have added data into ntfs.txt after using timestomp so it again changed the modification time stamp-----now makes sense

LastChangeTime :0x01c872de3753158f 02/19/2008 10:00:11.0655--------------

LastAccessTime :0x01c872de3753158f 02/19/2008 10:00:11.0655---------------

FileAttributes :0x00000020

MaximumVersions :0x00000000

VersionNumber :0x00000000

ClassId :0x00000000

OwnerId :0x00000000

SecurityId :0x000002fd

QuotaCharged :0x0000000000000000

Usn :0x000000004a5e3e78

}

_ATTRIBUTE_RECORD_HEADER {

ATTRIBUTE_TYPE_CODE TypeCode :0x00000030 ($FILE_NAME)

ULONG RecordLength :0x00000070

UCHAR FormCode :0x00

UCHAR NameLength :0x00

USHORT NameOffset :0x0000 ""

USHORT Flags :0x0000

USHORT Instance :0x0004

RESIDENT_FORM {

ULONG ValueLength :0x0052

USHORT ValueOffset :0x0018

UCHAR ResidentFlags :0x0001

UCHAR Reserved :0x0000

}

FILE_NAME {

ParentDirectory Frs, Seq < 5 , 5 >

DUPLICATED_INFORMATION Info {

CreationTime :01c872da933c2514 02/19/2008 09:34:07.0868--------------------//////this never changed////

LastModificationTime :01c872da933c2514 02/19/2008 09:34:07.0868

LastChangeTime :01c872da933c2514 02/19/2008 09:34:07.0868

LastAccessTime :01c872da933c2514 02/19/2008 09:34:07.0868

AllocatedLength :0000000000000000

FileSize :0000000000000000

FileAttributes :00000020

--------------------------------------------------

lets do once again

C:\>TimeStomp ntfs.txt -a "Monday 7/25/1801 5:15:55 AM"

C:\>TimeStomp ntfs.txt -m "Monday 7/25/1801 5:15:55 AM"

----------------------

STANDARD_INFORMATION {

CreationTime :0x0000a114ff05fb80 07/24/1601 23:45:55.0000----------------------------

LastModificationTime :0x00e0da734e1ffb80 07/24/1801 23:45:55.0000---------------------------

LastChangeTime :0x01c872de3753158f 02/19/2008 10:00:11.0655----------------------------

LastAccessTime :0x00e0da734e1ffb80 07/24/1801 23:45:55.0000-----------------------

FileAttributes :0x00000020

MaximumVersions :0x00000000

VersionNumber :0x00000000

ClassId :0x00000000

OwnerId :0x00000000

SecurityId :0x000002fd

QuotaCharged :0x0000000000000000

Usn :0x000000004a5e8828

FILE_NAME {

ParentDirectory Frs, Seq < 5 , 5 >

DUPLICATED_INFORMATION Info {

CreationTime :01c872da933c2514 02/19/2008 09:34:07.0868--------------------------------THEY NEVER CHANGED

LastModificationTime :01c872da933c2514 02/19/2008 09:34:07.0868----------------------------------

LastChangeTime :01c872da933c2514 02/19/2008 09:34:07.0868------------------------------

LastAccessTime :01c872da933c2514 02/19/2008 09:34:07.0868-----------------------------------

AllocatedLength :0000000000000000

FileSize :0000000000000000

FileAttributes :00000020

============

If I undesrtand right FN mace values should be older than SIA mace values or same depending on different scenarios. But how easy it was to play with these time stamps on ntfs.txt file!!

===========================

Gaurav Anand

This posting is provided "AS IS" with no warranties, and confers no rights.

Posted Tuesday, February 19, 2008 6:12 PM by ganand | 9 Comments

What happens and parameters passed when a new process is created

Via this blog I have just tried to show What exactly happens when a new process is created and what all structures are required and parameters

passed to that process.

What ever mentioned below is all extracted from different places of windows SDK and I have tried to forward a easy picture for understanding

purpose.

The CreateProcessAsUser function creates a new process and its primary thread. The new process then runs the specified executable file.

There are other functions also for creating process like CreateProcess and CreateprocessWithLogonW but I have chosen

CreateProcessAsUser one to explain.

BOOL CreateProcessAsUser(

  HANDLE hToken,

  LPCTSTR lpApplicationName,

  LPTSTR lpCommandLine,

  LPSECURITY_ATTRIBUTES lpProcessAttributes,

  LPSECURITY_ATTRIBUTES lpThreadAttributes,

  BOOL bInheritHandles,

  DWORD dwCreationFlags,

  LPVOID lpEnvironment,

  LPCTSTR lpCurrentDirectory,

  LPSTARTUPINFO lpStartupInfo,

  LPPROCESS_INFORMATION lpProcessInformation

);

Now a little explained version in regards to all the parameters passed to the function CreateProcessAsUser

BOOL CreateProcessAsUser(

  HANDLE hToken,-------------- Handle to a primary token that represents a user.

  LPCTSTR lpApplicationName,------------ Pointer to a null-terminated string that specifies the module to execute.

 The specified module can be a Windows-based application.

  LPTSTR lpCommandLine, --------Pointer to a null-terminated string that specifies the command line to execute.

If both lpApplicationName and lpCommandLine are non-NULL, *lpApplicationName specifies the module to execute,

and *lpCommandLine specifies the command line.

  LPSECURITY_ATTRIBUTES lpProcessAttributes,------------- Pointer to a SECURITY_ATTRIBUTES structure that specifies

 a security descriptor for the new process and determines whether child processes can inherit the returned handle. If lpProcessAttributes

is NULL or lpSecurityDescriptor  is NULL, the process gets a default security descriptor and the handle cannot be inherited.

The default security descriptor is that of the user referenced in the hToken parameter. This security descriptor may not allow access for the caller,

in which case the process may not be opened again after it is run. The process handle is valid and will continue to have full access rights.

lpSecurityDescriptor

A pointer to a security descriptor for the object that controls the sharing of it. If NULL is specified for this member, the object

is assigned the default security descriptor of the calling process. This is not the same as granting access to everyone by

assigning a NULL discretionary access control list (DACL). The default security descriptor is based on the default DACL of

the access token belonging to the calling process. By default, the default DACL in the access token of a process allows access

only to the user represented by the access token. If other users must access the object, you can either create a security

descriptor with the appropriate access, or add ACEs to the DACL that grants access to a group of users.

  LPSECURITY_ATTRIBUTES lpThreadAttributes, ---Pointer to a SECURITY_ATTRIBUTES structure that specifies a security descriptor

 for the new process and determines whether child processes can inherit the returned handle. If lpThreadAttributes is NULL or

 lpSecurityDescriptor is NULL, the thread gets a default security descriptor and the handle cannot be inherited. The default security

 descriptor is that of the user referenced in the hToken parameter. This security descriptor may not allow access for the caller.

  BOOL bInheritHandles,----- If this parameter is TRUE, each inheritable handle in the calling process is inherited by the new process.

If the parameter is FALSE, the handles are not inherited. Note that inherited handles have the same value and access rights as the original handles.

  DWORD dwCreationFlags,--- control the priority class and the creation of the process.

The GetPriorityClass function retrieves the priority class for the specified process. This value, together with the priority value of each thread

of the process, determines each thread's base priority level. The operating system uses the base priority level of all executable threads to

determine which thread gets the next slice of CPU time. Threads are scheduled in a round-robin fashion at each priority level, and only when

there are no executable threads at a higher level will scheduling of threads at a lower level take place.

  LPVOID lpEnvironment,------ Pointer to an environment block for the new process. If this parameter is NULL, the new process uses

 the environment of the calling process.

  LPCTSTR lpCurrentDirectory,------------ Pointer to a null-terminated string that specifies the full path to the current directory for

 the process. If this parameter is NULL, the new process will have the same current drive and directory as the calling process.

  LPSTARTUPINFO lpStartupInfo,---------- Pointer to a STARTUPINFO structure that specifies the window station, desktop, standard

 handles, and appearance of the main window for the new process.

For graphical user interface (GUI) processes, this information affects the first window created by the CreateWindow function and

shown by the ShowWindow function. For console processes, this information affects the console window if a new console is created

 for the process.  A process can use the GetStartupInfo function to retrieve the STARTUPINFO structure specified when the process

 was created.

  LPPROCESS_INFORMATION lpProcessInformation-----------Pointer to a PROCESS_INFORMATION structure that receives identification

information about the new process. This structure contains information about the newly created process and its primary thread.

 typedef struct _PROCESS_INFORMATION {

  HANDLE hProcess;

  HANDLE hThread;

  DWORD dwProcessId;

  DWORD dwThreadId;

} PROCESS_INFORMATION,

*LPPROCESS_INFORMATION;

If the function succeeds, be sure to call the CloseHandle function to close the hProcess and hThread handles when you are finished with them.

Otherwise, when the child process exits, the system cannot clean up these handles because the parent process did not close them.

However, the system will close these handles when the parent process terminates, so they would be cleaned up at this point.

);

By default, CreateProcessAsUser creates the new process on a noninteractive window station with a desktop that is not visible and cannot

receive user input. To enable user interaction with the new process, you must specify the name of the default interactive window station and

desktop, "winsta0\default",in the lpDesktop member of the STARTUPINFO structure.

The preferred way to shut down a process is by using the ExitProcess function, because this function sends notification of approaching

termination to all DLLs attached to the process. Other means of shutting down a process do not notify the attached DLLs. Note that when

a thread calls ExitProcess, other threads of the process are terminated without an opportunity to execute any additional code (including

the thread termination code of attached DLLs).

PLEASE LEVEAGE THE WINDOWS SDK FOR MORE ON SAME.

===========================

Gaurav Anand

This posting is provided "AS IS" with no warranties, and confers no rights.

Posted Friday, February 15, 2008 2:56 PM by ganand | 1 Comments

Filed under: When a new process is created

Few public links giving an insight on Windows Internal Architecture.

A few favorite links of mine on Windows Architecture..Hope you will like reading them..

http://www.osronline.com/

http://www.windowsitlibrary.com/Documents/Book.cfm?DocumentID=356

http://www.jps.at/dev/kurs/3-23.html

http://blogs.msdn.com/ntdebugging/archive/tags/Debugging/default.aspx

http://bcs.wiley.com/he-bcs/Books?action=resource&bcsId=2217&itemId=0471694665&resourceId=5004

http://uninformed.org/index.cgi?v=8&a=5&p=1

===========================

Gaurav Anand

This posting is provided "AS IS" with no warranties, and confers no rights.

Posted Saturday, January 26, 2008 12:51 PM by ganand | 0 Comments

Filed under: Windows Internal Architecture

Internal structures of the Windows Registry

One of the best public document which talks about Registry internals is by Mark Russinovich and I will recommend same before you go ahead with this article.

http://www.microsoft.com/technet/archive/winntas/tips/winntmag/inreg.mspx?mfr=true

Make sure before proceeding ahead you go through Mark's Article.

Ok..so now as you have read that article..you know how registry is broken into blocks, bins, cells and stored in memory or disk.

Cell directory and tables for regisrty

Now lets see the same via Live debugger and see the same structures.....

0: kd> !reg hivelist

-------------------------------------------------------------------------------------------------------------

-------------------------------------------------------------------------------------------------------------

| e1008950 | 1000 | e10089b0 | 1000 | e1008aec | 0 | 0 | 0| e1014000 | <NONAME>

| e1019458 | 364000 | e1021000 | 24000 | e10195f4 | 166 | 0 | 0| e101e000 | SYSTEM

| e1392008 | b000 | e1392068 | 4000 | e13921a4 | 0 | 0 | 0| e1393000 | <NONAME>

| e2081a80 | f000 | e2081ae0 | 1000 | e2081c1c | 4 | 0 | 0| e2063000 | emRoot\System32\Config\SECURITY

| e1626a80 | 3b000 | e1626ae0 | 1000 | e1626c1c | 15 | 0 | 0| e205b000 | temRoot\System32\Config\DEFAULT

| e1484008 | 8000 | e1484068 | 0 | 00000000 | 3 | 0 | 0| e1669000 | \SystemRoot\System32\Config\SAM

| e162fa80 | 1d9a000 | e1666000 | 1d000 | e162fc1c | 255 | 0 | 0| e1ff9000 | emRoot\System32\Config\SOFTWARE

| e24cc830 | 35000 | e24cc890 | 1000 | e24cc9cc | 14 | 0 | 0| e251d000 | tings\NetworkService\ntuser.dat

| e24c81a8 | 1000 | e24c8208 | 0 | 00000000 | 1 | 0 | 0| e2523000 | \Microsoft\Windows\UsrClass.dat

| e253d798 | 35000 | e253d7f8 | 1000 | e253d934 | 14 | 0 | 0| e254c000 | ettings\LocalService\ntuser.dat

| e2551008 | 1000 | e2551068 | 0 | 00000000 | 1 | 0 | 0| e2552000 | \Microsoft\Windows\UsrClass.dat

| e24fd0c0 | 2cb000 | e2ff8000 | 2000 | e24fd25c | 159 | 0 | 0| e24f9000 | and Settings\ganand\ntuser.dat

| e302e008 | 9000 | e302e068 | 0 | 00000000 | 3 | 0 | 0| e309d000 | \Microsoft\Windows\UsrClass.dat

-------------------------------------------------------------------------------------------------------------

I dumped out the hive lists on my machine..as registry is maintained as hives and not what we see when we open regedit..thats only visual registry. we see the address of the system hive right now loaded in kernel mode as you can figure out from address.

Now we dumped the system hive

0: kd> dt nt!hhive e1019458

nt!HHIVE

+0x000 Signature : 0xbee0bee0

+0x004 GetCellRoutine : 0x8092d3ef nt!HvpGetCellMapped+0

+0x008 ReleaseCellRoutine : 0x8093db9d nt!HvpReleaseCellMapped+0

+0x00c Allocate : 0x8091f642 nt!CmpAllocate+0

+0x010 Free : 0x8091f68d nt!CmpFree+0

+0x014 FileSetSize : 0x8091e608 nt!CmpFileSetSize+0

+0x018 FileWrite : 0x8092798f nt!CmpFileWrite+0

+0x01c FileRead : 0x808f6320 nt!CmpFileRead+0

+0x020 FileFlush : 0x80927615 nt!CmpFileFlush+0

+0x024 BaseBlock : 0xe101e000 _HBASE_BLOCK

+0x028 DirtyVector : _RTL_BITMAP

+0x030 DirtyCount : 0

+0x034 DirtyAlloc : 0x364

+0x038 BaseBlockAlloc : 0x1000

+0x03c Cluster : 1

+0x040 Flat : 0 ''

+0x041 ReadOnly : 0 ''

+0x042 Log : 0x1 ''

+0x043 DirtyFlag : 0x1 ''

+0x044 HiveFlags : 0

+0x048 LogSize : 0x400

+0x04c RefreshCount : 0

+0x050 StorageTypeCount : 2

+0x054 Version : 5

+0x058 Storage : [2] _DUAL

0: kd> dt nt!cmhive e1019458

nt!CMHIVE

+0x000 Hive : _HHIVE

+0x2d0 FileHandles : [3] 0x8000031c--------------------------------------handles to the hive

+0x2dc NotifyList : _LIST_ENTRY [ 0xe139b678 - 0x0 ]

+0x2e4 HiveList : _LIST_ENTRY [ 0xe13922ec - 0xe1008c34 ]

+0x2ec HiveLock : _EX_PUSH_LOCK

+0x2f0 ViewLock : 0x89b8f1a8 _KGUARDED_MUTEX

+0x2f4 WriterLock : _EX_PUSH_LOCK

+0x2f8 FlusherLock : _EX_PUSH_LOCK

+0x2fc SecurityLock : _EX_PUSH_LOCK

+0x300 LRUViewListHead : _LIST_ENTRY [ 0xe34b4598 - 0xe359d690 ]

+0x308 PinViewListHead : _LIST_ENTRY [ 0xe1019760 - 0xe1019760 ]

+0x310 FileObject : 0x89835df8 _FILE_OBJECT--------------------address of the file object

+0x314 FileFullPath : _UNICODE_STRING "\Device\HarddiskVolume1\WINNT\system32\config\system"------------------path on disk

+0x31c FileUserName : _UNICODE_STRING ""

+0x324 MappedViews : 0xa6

+0x326 PinnedViews : 0

+0x328 UseCount : 0

+0x32c SecurityCount : 0x5b

+0x330 SecurityCacheSize : 0x60

+0x334 SecurityHitHint : 13

+0x338 SecurityCache : 0xe1391d00 _CM_KEY_SECURITY_CACHE_ENTRY

+0x33c SecurityHash : [64] _LIST_ENTRY [ 0xe1020138 - 0xe1020138 ]

+0x53c UnloadEvent : (null)

+0x540 RootKcb : (null)

+0x544 Frozen : 0 ''

+0x548 UnloadWorkItem : (null)

+0x54c GrowOnlyMode : 0 ''

+0x550 GrowOffset : 0

+0x554 KcbConvertListHead : _LIST_ENTRY [ 0xe10199ac - 0xe10199ac ]

+0x55c KnodeConvertListHead : _LIST_ENTRY [ 0xe10199b4 - 0xe10199b4 ]

+0x564 CellRemapArray : (null)

+0x568 Flags : 0

+0x56c TrustClassEntry : _LIST_ENTRY [ 0xe10199c4 - 0xe10199c4 ]

+0x574 FlushCount : 0x5a1

+0x578 CreatorOwner : (null)

Now lets go to the storage...

0: kd> dt nt!hhive e1019458 storage.

nt!HHIVE

Cannot find specified field members.

0: kd> dt nt!hhive e1019458 Storage.

nt!HHIVE

+0x050 StorageTypeCount : 2

+0x058 Storage : [2]

+0x000 Length : 0x364000

+0x004 Map : 0xe1021000 _HMAP_DIRECTORY---map directory used by configuration manager..this is equivalent to PDE in terms of memory management

+0x008 SmallDir : (null)

+0x00c Guard : 0xffffffff

+0x010 FreeDisplay : [24] _FREE_DISPLAY

+0x130 FreeSummary : 0x100a5f

+0x134 FreeBins : _LIST_ENTRY [ 0xe10195e4 - 0xe10195e4 ]---free bins for this hive

0: kd> dt 0xe1021000 _HMAP_DIRECTORY

+0x000 Directory : [1024] 0xe1022000 _HMAP_TABLE---so first we went to hive directory address and from there we figured out hive table address and from there we got block offset. In this case cell index in configuration manager is equivalent to PFN in case of memory manager.

0: kd> dt 0xe1022000 _HMAP_TABLE

+0x000 Table : [512] _HMAP_ENTRY

0: kd> dt 0xe1021000 _HMAP_ENTRY

+0x000 BlockAddress : 0xe1022000-----------------

+0x004 BinAddress : 0xe1024000---------------------------

+0x008 CmView : (null)

+0x00c MemAlloc : 0

So now we have reached to the block and inside the block we have reached to the bin….from here we will go to that cell…

Now just to prove that we are on right track..let me achieve the same via debugger ….for that we have !reg cellindex

0: kd> !reg baseblock e1019458

FileName : SYSTEM

Signature: HBASE_BLOCK_SIGNATURE

Sequence1: 1a0f

Sequence2: 1a0f

TimeStamp: 1c84fa5 ac4d292c

Major : 1

Minor : 5

Type : HFILE_TYPE_PRIMARY

Format : HBASE_FORMAT_MEMORY

RootCell : 20

Length : 364000

Cluster : 1

CheckSum : 346bbc65

0: kd> !reg cellindex e1019458 20

Map = e1021000 Type = 0 Table = 0 Block = 0 Offset = 20

MapTable = e1022000

pcell: de441024--------------this is the address of the cell

==========

Gaurav Anand

This posting is provided "AS IS" with no warranties, and confers no rights.

Posted Saturday, January 05, 2008 5:24 PM by ganand | 6 Comments

Filed under: Internal structures of the Windows Registry

Windows Vista Address Space Load Randomization - The way vista loads DLL's

Lets talk about what is a Dll and why we need it first ... dynamic-link library (DLL) is shared code and data that an application can load and call at run time. A DLL typically exports a set of routines for applications to use and contains other routines for internal use. This technique enables code reuse by allowing multiple applications to share common functionality in a library and load it on demand. Advantages of using DLLs include reduced code footprint, lower memory utilization due to single-copy-sharing and much more.

The original purpose for DLLs was saving both disk space and memory required for Windows applications by sharing a single library between two loaded programs. In a conventional non-shared library, sections of code are simply added to the calling program when its executable is built at the linking phase; if two programs use the same routine, the code has to be included in both. Instead, code which multiple applications share can be separated into a DLL which only exists as a single, separate file, loaded only once into memory during usage. Extensive use of DLLs allowed early versions of Windows to work under tight memory conditions, in an environment in which all programs shared the same address space,

How these Dll's and exe files are loaded?

This is done by Loader. Loader is the part of an operating system that is responsible for loading programs from executables (i.e., executable files) into memory, preparing them for execution and then executing them. The loader is usually a part of the Operating system's kernel and usually is loaded at system boot time and stays in memory until the system is rebooted, shut down, or powered off.

http://support.microsoft.com/kb/100635

Now what is the change in vista and what is this Address space load randomization?

Let’s see it practically

I attached debugger with msiexec.exe and we see the loaded modules below.

Before reboot In windows vista

CommandLine: C:\Windows\System32\msiexec.exe

Symbol search path is: SRV*C:\WINDOWS\Symbols*\\symbols\symbols

Executable search path is:

ModLoad: 00ab0000 00ac4000 msiexec.exe

ModLoad: 772c0000 773de000 ntdll.dll

ModLoad: 771e0000 772b8000 C:\Windows\system32\kernel32.dll

ModLoad: 768e0000 7699f000 C:\Windows\system32\ADVAPI32.dll

ModLoad: 769a0000 76a63000 C:\Windows\system32\RPCRT4.dll

ModLoad: 76ed0000 76f6e000 C:\Windows\system32\USER32.dll

ModLoad: 76a70000 76abb000 C:\Windows\system32\GDI32.dll

ModLoad: 76f70000 7701a000 C:\Windows\system32\msvcrt.dll

ModLoad: 76790000 768d4000 C:\Windows\system32\ole32.dll

ModLoad: 72950000 72b54000 C:\Windows\System32\msi.dll-----------------------------In legacy OS scenario …if I want to write a bad code…or want to modify something on your machine..i know that msi.dll is going to load here every time + even if I am not going to use this dll later, I m going to keep this address for msi.dll once it is loaded but in vista due to address space load randomization, I will unload/reload it later at some other address…and when I am not using this dll..i need not to reserve the address for it. BENEFIT:----the same address can be used by next dll which is going to load… creating larger regions of free memory for contiguous memory allocations, reducing the number of page tables the memory manager allocates to keep track of address-space layout.

After reboot

=========

Executable search path is:

ModLoad: 005b0000 005c4000 msiexec.exe

ModLoad: 77540000 7765e000 ntdll.dll

ModLoad: 763e0000 764b8000 C:\Windows\system32\kernel32.dll

ModLoad: 776c0000 7777f000 C:\Windows\system32\ADVAPI32.dll

ModLoad: 75ed0000 75f93000 C:\Windows\system32\RPCRT4.dll

ModLoad: 769d0000 76a6e000 C:\Windows\system32\USER32.dll

ModLoad: 764c0000 7650b000 C:\Windows\system32\GDI32.dll

ModLoad: 767c0000 7686a000 C:\Windows\system32\msvcrt.dll

ModLoad: 76290000 763d4000 C:\Windows\system32\ole32.dll

ModLoad: 72c40000 72e44000 C:\Windows\System32\msi.dll-----------------------------------address have changed--dynamically loaded

Later I did similar test on win2k3 machine for notepad.exe and we see dll load at same address even after reboot

Before reboot

Executable search path is:

ModLoad: 01000000 01014000 C:\WINNT\system32\notepad.exe

ModLoad: 7c800000 7c8c0000 C:\WINNT\system32\ntdll.dll

ModLoad: 77e40000 77f42000 C:\WINNT\system32\kernel32.dll

ModLoad: 762b0000 762f9000 C:\WINNT\system32\comdlg32.dll

ModLoad: 77ba0000 77bfa000 C:\WINNT\system32\msvcrt.dll

ModLoad: 77da0000 77df2000 C:\WINNT\system32\SHLWAPI.dll

ModLoad: 77c00000 77c48000 C:\WINNT\system32\GDI32.dll

ModLoad: 77380000 77411000 C:\WINNT\system32\USER32.dll

ModLoad: 77f50000 77feb000 C:\WINNT\system32\ADVAPI32.dll

ModLoad: 77c50000 77cef000 C:\WINNT\system32\RPCRT4.dll

ModLoad: 76f50000 76f63000 C:\WINNT\system32\Secur32.dll

ModLoad: 77420000 77523000 C:\WINNT\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.3790.3959_x-ww_D8713E55\COMCTL32.dll

ModLoad: 7c8d0000 7d0cf000 C:\WINNT\system32\SHELL32.dll

ModLoad: 73070000 73097000 C:\WINNT\system32\WINSPOOL.DRV

ModLoad: 4b3c0000 4b410000 C:\WINNT\system32\MSCTF.dll

ModLoad: 71b70000 71ba6000 C:\WINNT\system32\UxTheme.dll

After reboot

==============

Executable search path is:

ModLoad: 01000000 01014000 C:\WINNT\system32\notepad.exe

ModLoad: 7c800000 7c8c0000 C:\WINNT\system32\ntdll.dll

ModLoad: 77e40000 77f42000 C:\WINNT\system32\kernel32.dll

ModLoad: 762b0000 762f9000 C:\WINNT\system32\comdlg32.dll

ModLoad: 77ba0000 77bfa000 C:\WINNT\system32\msvcrt.dll

ModLoad: 77da0000 77df2000 C:\WINNT\system32\SHLWAPI.dll

ModLoad: 77c00000 77c48000 C:\WINNT\system32\GDI32.dll

ModLoad: 77380000 77411000 C:\WINNT\system32\USER32.dll

ModLoad: 77f50000 77feb000 C:\WINNT\system32\ADVAPI32.dll

ModLoad: 77c50000 77cef000 C:\WINNT\system32\RPCRT4.dll

ModLoad: 76f50000 76f63000 C:\WINNT\system32\Secur32.dll

ModLoad: 77420000 77523000 C:\WINNT\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.3790.3959_x-ww_D8713E55\COMCTL32.dll

ModLoad: 7c8d0000 7d0cf000 C:\WINNT\system32\SHELL32.dll

ModLoad: 73070000 73097000 C:\WINNT\system32\WINSPOOL.DRV

ModLoad: 4b3c0000 4b410000 C:\WINNT\system32\MSCTF.dll

ModLoad: 71b70000 71ba6000 C:\WINNT\system32\UxTheme.dll

now i wanted to see that whats the change in msi.dll on win2k3 and vista so i dumped both of them using following command...i knew that there is a new flag on vista msi.dll ......dynamic relocation flag in the header of the msi.dll...but i guess i was not able to see it because link.exe that i was using was not from vista SDK.

C:\Users\ganand\Desktop\internals\TOOLS>link.exe -dump -headers c:\windows\system32\msi.dll

Microsoft (R) COFF/PE Dumper Version 7.10.2179

Dump of file c:\windows\system32\msi.dll

PE signature found

File Type: DLL

FILE HEADER VALUES

14C machine (x86)

5 number of sections

4549BD89 time date stamp Thu Nov 02 15:12:33 2006

0 file pointer to symbol table

0 number of symbols

E0 size of optional header

2102 characteristics

Executable

32 bit word machine

DLL

OPTIONAL HEADER VALUES

10B magic # (PE32)

8.00 linker version

1DAE00 size of code

25200 size of initialized data

0 size of uninitialized data

7B2D entry point (751F7B2D)

1000 base of code

For more information refer to http://www.microsoft.com/technet/technetmag/issues/2007/04/VistaKernel/default.aspx

===============================

Gaurav Anand

This posting is provided "AS IS" with no warranties, and confers no rights.

Posted Friday, January 04, 2008 8:50 PM by ganand | 1 Comments

Filed under: Windows Vista Address Space Load Randomization

How to isolate a service in its own scvhost.exe

This is a very good public link to read about service control manager internals and how to manage services.

download.microsoft.com/download/f/3/9/f3900e1e-a45c-45a4-b716-740e553e1f62/SPTCF_SYS.doc

Description of svchost.exe http://support.microsoft.com/kb/314056

C:\Documents and Settings\ganand>tasklist /svc

As you see right now my bits service is running under svchost along with other services…

Image Name PID Services

========================= ======== ============================================

System Idle Process 0 N/A

System 4 N/A

smss.exe 312 N/A

csrss.exe 360 N/A

winlogon.exe 384 N/A

services.exe 432 Eventlog, PlugPlay

lsass.exe 444 HTTPFilter, Netlogon, PolicyAgent,

ProtectedStorage, SamSs

svchost.exe 632 DcomLaunch

svchost.exe 704 RpcSs

svchost.exe 780 Dhcp, Dnscache

svchost.exe 828 Alerter, LmHosts, W32Time,

WinHttpAutoProxySvc

svchost.exe 848 AeLookupSvc, AudioSrv, BITS, CryptSvc,

dmserver, EventSystem, helpsvc,

lanmanserver, lanmanworkstation, Netman,

Nla, RasMan, Schedule, seclogon, SENS,

ShellHWDetection, TrkWks, winmgmt,

wuauserv, WZCSVC

spoolsv.exe 1024 Spooler

msdtc.exe 1052 MSDTC

svchost.exe 1172 ERSvc

FwcAgent.exe 1216 FwcAgent

inetinfo.exe 1280 IISADMIN

InoRpc.exe 1332 InoRPC

InoRT.exe 1384 InoRT

InoTask.exe 1420 InoTask

svchost.exe 1528 Pml Driver HPZ12

svchost.exe 1552 RemoteRegistry

SMAgent.exe 1584 SoundMAX Agent Service (default)

svchost.exe 1652 TermService

vmh.exe 1824 vmh

searchindexer.exe 1912 WSearch

CcmExec.exe 2052 CcmExec

vssrvc.exe 2160 Virtual Server

svchost.exe 2180 W3SVC

wmiprvse.exe 2636 N/A

wmiprvse.exe 2716 N/A

explorer.exe 3276 N/A

GrooveMonitor.exe 3560 N/A

igfxtray.exe 3568 N/A

hkcmd.exe 3580 N/A

SMTray.exe 3588 N/A

VM_STI.EXE 3596 N/A

svchost.exe 3780 TapiSrv

ctfmon.exe 3768 N/A

communicator.exe 3856 N/A

Skype.exe 4076 N/A

FwcMgmt.exe 2644 N/A

WindowsSearch.exe 2672 N/A

ONENOTEM.EXE 2864 N/A

wmiprvse.exe 3260 N/A

VisualKB.exe 3720 N/A

dexplore.exe 1660 N/A

hh.exe 3020 N/A

hh.exe 3864 N/A

iexplore.exe 1316 N/A

dllhost.exe 3204 COMSysApp

OUTLOOK.EXE 3904 N/A

AcroRd32.exe 792 N/A

iexplore.exe 4072 N/A

iexplore.exe 3944 N/A

iexplore.exe 2944 N/A

cmd.exe 2084 N/A

regedit.exe 3916 N/A

wmiprvse.exe 816 N/A

tasklist.exe 3492 N/A

for troubleshooting purposes if we want to isolate any one service running under svchost---we can do that using sc config bits type= own

now as you see bits is running under its own scvhost process.

C:\Documents and Settings\ganand>tasklist /svc

Image Name PID Services

========================= ======== ============================================

System Idle Process 0 N/A

System 4 N/A

smss.exe 312 N/A

csrss.exe 360 N/A

winlogon.exe 384 N/A

services.exe 432 Eventlog, PlugPlay

lsass.exe 444 HTTPFilter, Netlogon, PolicyAgent,

ProtectedStorage, SamSs

svchost.exe 632 DcomLaunch

svchost.exe 704 RpcSs

svchost.exe 780 Dhcp, Dnscache

svchost.exe 828 Alerter, LmHosts, W32Time

svchost.exe 848 AeLookupSvc, AudioSrv, CryptSvc, dmserver,

EventSystem, helpsvc, lanmanserver,

lanmanworkstation, Netman, Nla, RasMan,

Schedule, seclogon, SENS, ShellHWDetection,

TrkWks, winmgmt, wuauserv, WZCSVC

spoolsv.exe 1024 Spooler

msdtc.exe 1052 MSDTC

svchost.exe 1172 ERSvc

FwcAgent.exe 1216 FwcAgent

inetinfo.exe 1280 IISADMIN

InoRpc.exe 1332 InoRPC

InoRT.exe 1384 InoRT

InoTask.exe 1420 InoTask

svchost.exe 1528 Pml Driver HPZ12

svchost.exe 1552 RemoteRegistry

SMAgent.exe 1584 SoundMAX Agent Service (default)

svchost.exe 1652 TermService

vmh.exe 1824 vmh

searchindexer.exe 1912 WSearch

CcmExec.exe 2052 CcmExec

vssrvc.exe 2160 Virtual Server

svchost.exe 2180 W3SVC

wmiprvse.exe 2636 N/A

wmiprvse.exe 2716 N/A

explorer.exe 3276 N/A

GrooveMonitor.exe 3560 N/A

igfxtray.exe 3568 N/A

hkcmd.exe 3580 N/A

SMTray.exe 3588 N/A

VM_STI.EXE 3596 N/A

svchost.exe 3780 TapiSrv

ctfmon.exe 3768 N/A

communicator.exe 3856 N/A

Skype.exe 4076 N/A

FwcMgmt.exe 2644 N/A

WindowsSearch.exe 2672 N/A

ONENOTEM.EXE 2864 N/A

wmiprvse.exe 3260 N/A

VisualKB.exe 3720 N/A

dexplore.exe 1660 N/A

hh.exe 3020 N/A

hh.exe 3864 N/A

iexplore.exe 1316 N/A

dllhost.exe 3204 COMSysApp

OUTLOOK.EXE 3904 N/A

AcroRd32.exe 792 N/A

iexplore.exe 4072 N/A

iexplore.exe 3944 N/A

iexplore.exe 2944 N/A

cmd.exe 2084 N/A

regedit.exe 3916 N/A

wmiprvse.exe 816 N/A

svchost.exe 1780 BITS

tasklist.exe 608 N/A

Gaurav Anand

This posting is provided "AS IS" with no warranties, and confers no rights.

Posted Sunday, December 23, 2007 2:30 PM by ganand | 2 Comments

Filed under: services

How do transition from user mode to kernel mode takes place

NTDLL is used to call into the operating system, which is (generally) in the address range (0x80000000-0xFFFFFFFF). The operating system addresses are not accessible in user-mode; therefore a special protected mechanism (using a CPU instruction which is sysenter..earlier it used to be Int 2e) is used to control the transition from user-mode to kernel-mode. NTDLL loads the system service number into the EAX register, then copies the address the processor-specific kernel-mode transition code on the Kernel-User shared page (0x7FFE0000 + 0x300) into the EDX register, then calls through the EDX register.

MOV EAX, Service Number
MOV EDX, MM_SHARED_USER_DATA_VA + UsSystemCall
CALL EDX
RET n

The processor-specific kernel-mode transition code depends upon whether the CPU is Intel, AMD or Pentium2 and earlier (Win2K and earlier). INT 2E vectors through the IDT (entry number 0x2E), while SYSCALL and SYSENTER vector through model-specific registers that are initialized at system boot time. –these are better explained at

http://www.codeguru.com/Cpp/W-P/system/devicedriverdevelopment/article.php/c8223/

Win2K and earlier:
LEA EDX, [ESP+4]
INT 2E ; Ends up calling KiSystemService
RET

WinXP and later (Intel):
MOV EDX, ESP
SYSENTER ; Ends up calling KiFastCallEntry, which then calls
KiSystemService
RET

AMD K6 and later
MOV EDX, ESP
SYSCALL ; Ends up calling KiSystemCall, which then calls
KiSystemService
RET

KiSystemService uses the system service number(in EAX) as an index into the system service dispatch table, which contains the address of the routine in the operating system to call. This prevents an application from calling any random address in the system; an application can only call those routines that are listed in the system service dispatch table.

During the initialization of NTOSKRNL, it creates a function table, hereafter referred to as the System Service Dispatch Table (SSDT), for different services provided by NTOSKRNL. Each entry in the table contains the address of the function to be executed for a given service ID. The handler looks up this table based on the service ID passed in EAX register and calls the corresponding system service. The code for each function resides in the kernel. Similarly, another table called the System Service Parameter Table [SSPT]) provides the handler with the number of parameter bytes to expect from a particular service. The handler refers to the first entry in the Service Descriptor Table for service IDs less than 0x1000 and refers to the second entry of the table for service IDs greater than or equal to 0x1000. The handler checks the validity of service IDs. If a service ID is valid, the handler extracts the addresses of the SSDT and SSPT. The handler copies the number of bytes (equal to the total number of bytes of the parameter list) described by the SSPT for the service–from user-mode stack to kernel-mode stack–and then calls the function pointed to by the SSDT for that service.

Gaurav Anand

This posting is provided "AS IS" with no warranties, and confers no rights.

Posted Sunday, December 23, 2007 2:25 PM by ganand | 1 Comments

Dumping out notepad.exe and ntdll.dll

I tried to dump out the headers and data sections of notepad.exe and ntdll.dll to figure out what are their dependents and what are the functions and services provided by ntdll.dll along with service numbers which are used in kernel mode.

Dump of file c:\windows\system32\notepad.exe---this is what you see when you dump the notepad.exe using link tool from sdk..these are all the dll's that notepad.exe may use and use along with all their functions.

File Type: EXECUTABLE IMAGE

Section contains the following imports:

    ADVAPI32.dll---these are the functions of advapi32.dll that notepad.exe image uses.
               1001000 Import Address Table
               1008DC8 Import Name Table
              FFFFFFFF time date stamp
              FFFFFFFF Index of first forwarder reference

      77CD632E    268 RegQueryValueExW
      77CD64CC    22A RegCloseKey
      77CA8229    236 RegCreateKeyW
      77CBE8F0    17A IsTextUnicode
      77CC802D    278 RegSetValueExW

    KERNEL32.dll
               1001018 Import Address Table
               1008DE0 Import Name Table
              FFFFFFFF time date stamp
              FFFFFFFF Index of first forwarder reference

      77E1D22A    1D0 GetFileInformationByHandle
      77E5280F    12B FindNLSString
      77E2068A    285 GlobalAlloc
      77E2087D    297 GlobalUnlock
      77E207CB    290 GlobalLock
      77E2444D     7C CreateFileMappingW
      77E45CBB    1B0 GetDateFormatW
      77E1EDBA    1E7 GetLocalTime
      77E23672    303 LocalUnlock
      77E2737E    30A MapViewOfFile
      77E442A7    31A MultiByteToWideChar
      77E48DB6    441 UnmapViewOfFile
      77E47CEE    300 LocalReAlloc
      77E29BEE    152 GetACP
      77E1AD23     C3 DeleteFileW
      77E1644C    3CD SetEndOfFile
      77E2373F    2FF LocalLock
      77E45358    148 FormatMessageW
      77E48A32    47A WideCharToMultiByte
      77E47940    3EC SetLastError
      77E483D2    48D WriteFile
      77E48129    1E6 GetLastError
      77E23842    302 LocalSize
      77E4464E    1DF GetFullPathNameW
      77E473C0    319 MulDiv
      77E2AA46    170 GetCommandLineW
      77E2D36B    2A5 HeapSetInformation
      77E47B0D    1AA GetCurrentProcessId
      77E5614A    146 FoldStringW
      77E4337B    4AA lstrcmpW
      77E449CA    1CE GetFileAttributesW
      77E44E2A    124 FindFirstFileW
      77E44EBF    119 FindClose
      77E4B29A    26A GetTimeFormatW
      77E29145    1A9 GetCurrentProcess
      77E018E0    42D TerminateProcess
      77E01890    24F GetSystemTimeAsFileTime
      77E47A1D    1AD GetCurrentThreadId
      77E47652    266 GetTickCount
      77E482B0    354 QueryPerformanceCounter
      77E4427B    1F6 GetModuleHandleA
      77E2D187    415 SetUnhandledExceptionFilter
      77E019B8    239 GetStartupInfoA
      77E4739C    2BA InterlockedCompareExchange
      77E01D91    421 Sleep
      77E47388    2BD InterlockedExchange
      77E49D35    4B6 lstrlenW
      77E44801    1EA GetLocaleInfoW
      77E20725    28C GlobalFree
      77E44572    4AD lstrcmpiW
      77E44A49    3D2 SetErrorMode
      77E4866C     7F CreateFileW
      77E484CC    368 ReadFile
      77E47A2C     43 CloseHandle
      77E43B21    2F9 LocalAlloc
      77E47374    2BC InterlockedDecrement
      77E43A9D    2FD LocalFree
      77E47360    2C0 InterlockedIncrement
      77E4D9BE    270 GetUserDefaultUILanguage
      77E95984    43E UnhandledExceptionFilter

    GDI32.dll
               100110C Import Address Table
               1008ED4 Import Name Table
              FFFFFFFF time date stamp
              FFFFFFFF Index of first forwarder reference

      77B75FC0    25E SelectObject
      77B781E7    27B SetMapMode
      77B812F2    28F SetViewportExtEx
      77B81EA7    293 SetWindowExtEx
      77B78600    21B LPtoDP
      77B76390    266 SetBkMode
      77B7720B    20D GetTextMetricsW
      77B870AC    260 SetAbortProc
      77BA3C3B    297 StartDocW
      77BA31C8    299 StartPage
      77B87101     DD EndPage
      77BA2D8C      0 AbortDoc
      77BA30DD     DB EndDoc
      77B769A5     CD DeleteDC
      77B81550    2A0 TextOutW
      77B7ABB5    205 GetTextExtentPoint32W
      77B7BE99     30 CreateDCW
      77B7A788    20B GetTextFaceW
      77B86C04    113 EnumFontsW
      77B759F0    1F4 GetStockObject
      77B765B6    1E4 GetObjectW
      77B75EA6    1B5 GetDeviceCaps
      77B7AE17     3E CreateFontIndirectW
      77B75A1F     D0 DeleteObject

    USER32.dll
               1001170 Import Address Table
               1008F38 Import Name Table
              FFFFFFFF time date stamp
              FFFFFFFF Index of first forwarder reference

      77D7B38E    10D GetClientRect
      77D8380D    270 SetCursor
      77D7B8EC    24C ReleaseDC
      77D7B8D8    11A GetDC
      77D9129F     A6 DialogBoxParamW
      77D732D3    266 SetActiveWindow
      77D78781    132 GetKeyboardLayout
      77D721DF    220 PostQuitMessage
      77D81D90     96 DefWindowProcW
      77D7965E    125 GetForegroundWindow
      77D7A5A6    1BD IsIconic
      77D78C26     A0 DestroyWindow
      77D68A4E    1F7 MessageBeep
      77D67B2A    187 GetWindowPlacement
      77D6D382     3A CharUpperW
      77D78671    235 RegisterClassExW
      77D6D3C5    1D9 LoadImageW
      77D7862C    1D5 LoadCursorW
      77D8244A    2A5 SetWindowLongW
      77D69DE5    1CF LoadAcceleratorsW
      77D719F6    16E GetSystemMenu
      77D674D9    2A6 SetWindowPlacement
      77D785F0     68 CreateWindowExW
      77D6F801    24A RegisterWindowMessageW
      77D6CBB7    28B SetProcessDPIAware
      77D9D86E    294 SetScrollPos
      77D78B84    2B8 ShowWindow
      77D8250E    182 GetWindowLongW
      77D825BC    21C PeekMessageW
      77D7282F     D1 EnableWindow
      77D7BEB6     C7 DrawTextExW
      77D9A500     5D CreateDialogParamW
      77D7031A    18F GetWindowTextW
      77D6B2CA    205 MoveWindow
      77D82DA7    1AA InvalidateRect
      77D82B71    263 SendMessageW
      77D6F82E     2F CharNextW
      77D996E6     3D CheckMenuItem
      77D9CA35     47 CloseClipboard
      77D9CAC8    1B6 IsClipboardFormatAvailable
      77D9CA47    20F OpenClipboard
      77D6BC72    147 GetMenuState
      77D6BE00     CF EnableMenuItem
      77D6B8F9    16B GetSubMenu
      77D67B3E    13C GetMenu
      77D79C65    2A2 SetWinEventHook
      77D819A2    14E GetMessageW
      77D83915    21F PostMessageW
      77DBFBD5    1FF MessageBoxW
      77D796AB    124 GetFocus
      77D911FF    300 WinHelpW
      77D8340C    11E GetDlgCtrlID
      77D73023     D3 EndDialog
      77D70866    18E GetWindowTextLengthW
      77D786D8    1D7 LoadIconW
      77D7B102    1B9 IsDialogMessageW
      77D7B569    2D3 TranslateAcceleratorW
      77D82AA1    2D5 TranslateMessage
      77D82A89     A9 DispatchMessageW
      77D78B98    2E9 UpdateWindow
      77D72C64    2D7 UnhookWinEvent
      77D8ACBE     41 ChildWindowFromPoint
      77D994BD    122 GetDlgItemTextW
      77D993E1    277 SetDlgItemTextW
      77D796B8    279 SetFocus
      77D75DF4    2AC SetWindowTextW
      77D82E91    155 GetParent
      77D7AC9B    1E4 LoadStringW
      77D91D1C    25A SendDlgItemMessageW
      77D7C65C    119 GetCursorPos
      77D7C1D0    254 ScreenToClient

    msvcrt.dll
               1001290 Import Address Table
               1009058 Import Name Table
              FFFFFFFF time date stamp
              FFFFFFFF Index of first forwarder reference

      70D65BC2     37 ?terminate@@YAXXZ
      70D1E116    127 _controlfp
      70D1C032    3CE _vsnwprintf
      70D19860    4EE memset
      70D1BE1E    46D _wtol
      70D198D0    4EA memcpy
      70D1BA09    4CC iswctype
      70D37B87    4DA localtime
      70D36599    159 _except_handler4_common
      70D223B6     D2 __set_app_type
      70D223AB     BE __p__fmode
      70D223A0     B9 __p__commode
      70DB18B4     F5 _adjust_fdiv
      70D7A161    101 _amsg_exit
      70D1BBD2    1D5 _initterm
      70DAE4DC     E7 _acmdln
      70D220F7    48F exit
      70D1D39A    534 time
      70D234D9     91 __getmainargs
      70D1E342    1F4 _ismbblead
      70D74EFE     6A _XcptFilter
      70D7A2E3    162 _exit
      70D221CC    114 _cexit
      70DA5C1D     D4 __setusermatherr

    COMDLG32.dll
               10012F4 Import Address Table
               10090BC Import Name Table
              FFFFFFFF time date stamp
              FFFFFFFF Index of first forwarder reference

      7181D9D0      E GetSaveFileNameW
      71833E86      8 FindTextW
      71833EBA     17 ReplaceTextW
      71839307     11 PageSetupDlgW
      71842EED     14 PrintDlgExW
      718128DF      C GetOpenFileNameW
      71802517      4 CommDlgExtendedError
      71837CD1      3 ChooseFontW
      71802E37      A GetFileTitleW

    SHELL32.dll
               100131C Import Address Table
               10090E4 Import Name Table
              FFFFFFFF time date stamp
              FFFFFFFF Index of first forwarder reference

      7669D635     1B DragAcceptFiles
      7658A7D3     20 DragQueryFileW
      766FB803     1C DragFinish
      7661AFE6     8D SHCreateItemFromParsingName
      766EA0A5    110 ShellAboutW

    WINSPOOL.DRV
               1001334 Import Address Table
               10090FC Import Name Table
              FFFFFFFF time date stamp
              FFFFFFFF Index of first forwarder reference

      6E19121B     85 GetPrinterDriverW
      6E199539     1D ClosePrinter
      6E187359     8F OpenPrinterW

    ole32.dll
               1001344 Import Address Table
               100910C Import Name Table
              FFFFFFFF time date stamp
              FFFFFFFF Index of first forwarder reference

      72C6D569     66 CoTaskMemAlloc
      72C6DD8F     10 CoCreateInstance
      72C6DE1E     67 CoTaskMemFree
      72C69BD8     6B CoUninitialize
      72C6885D     3E CoInitializeEx

    SHLWAPI.dll
               100135C Import Address Table
               1009124 Import Name Table
              FFFFFFFF time date stamp
              FFFFFFFF Index of first forwarder reference

6ED6E534 5D PathIsFileSpecW
6ED7E468 FD SHStrDupW

    COMCTL32.dll
               1001368 Import Address Table
               1009130 Import Name Table
              FFFFFFFF time date stamp
              FFFFFFFF Index of first forwarder reference

7493FDC3 C CreateStatusWindowW
748B3E05 Ordinal 345

    OLEAUT32.dll
               1001374 Import Address Table
               100913C Import Name Table
              FFFFFFFF time date stamp
              FFFFFFFF Index of first forwarder reference

702E41AB Ordinal 2
702E3DAB Ordinal 6

    ntdll.dll
               1001380 Import Address Table
               1009148 Import Name Table
              FFFFFFFF time date stamp
              FFFFFFFF Index of first forwarder reference

77F0850D 548 WinSqmAddToStream

Header contains the following bound import information:
Bound to ADVAPI32.dll [4549BCD2] Thu Nov 02 15:09:30 2006---------------this refers to when this image was build...this is windows vista thats why showing 2006

    Bound to KERNEL32.dll [4549BD80] Thu Nov 02 15:12:24 2006
    Bound to GDI32.dll [4549BCD3] Thu Nov 02 15:09:31 2006
    Bound to USER32.dll [4549BDE0] Thu Nov 02 15:14:00 2006
    Bound to msvcrt.dll [4549BD61] Thu Nov 02 15:11:53 2006
    Bound to COMDLG32.dll [4549BD09] Thu Nov 02 15:10:25 2006
    Bound to SHELL32.dll [4549BDB4] Thu Nov 02 15:13:16 2006
    Bound to WINSPOOL.DRV [4549BE2A] Thu Nov 02 15:15:14 2006
    Bound to ole32.dll [4549BD92] Thu Nov 02 15:12:42 2006
    Bound to SHLWAPI.dll [4549BDB9] Thu Nov 02 15:13:21 2006
    Bound to COMCTL32.dll [4549BD09] Thu Nov 02 15:10:25 2006
    Bound to OLEAUT32.dll [4549BD95] Thu Nov 02 15:12:45 2006
    Bound to ntdll.dll [4549BDC9] Thu Nov 02 15:13:37 2006

Summary

        3000 .data
        1000 .reloc
       1A000 .rsrc
        9000 .text

next i dumped out the data section show in summary--------------

C:\Users\ganand\Desktop\internals\TOOLS>link.exe -dump -section:".data" -all c:\
windows\system32\notepad.exe >c:\notepaddump2.txt

Dump of file c:\windows\system32\notepad.exe

PE signature found------this is windows pe format image

File Type: EXECUTABLE IMAGE-----------------------------

FILE HEADER VALUES
             14C machine (x86)
               4 number of sections
        4549B0BE time date stamp Thu Nov 02 14:17:58 2006--------------------------when this image was build
               0 file pointer to symbol table
               0 number of symbols
              E0 size of optional header
             102 characteristics
                   Executable
                   32 bit word machine

OPTIONAL HEADER VALUES
             10B magic # (PE32)
            8.00 linker version
            9000 size of code
           1CC00 size of initialized data
               0 size of uninitialized data
            31F8 entry point (010031F8)
            1000 base of code
            D000 base of data
         1000000 image base (01000000 to 01027FFF)
            1000 section alignment
             200 file alignment
            6.00 operating system version---------------------
            6.00 image version--------------------------
            6.00 subsystem version
               0 Win32 version
           28000 size of image
             400 size of headers
           2A84B checksum
               2 subsystem (Windows GUI)-----------------------------
            8140 DLL characteristics
                   RESERVED - UNKNOWN
                   RESERVED - UNKNOWN
                   Terminal Server Aware----------------------------------------
           40000 size of stack reserve
           11000 size of stack commit
          100000 size of heap reserve
            1000 size of heap commit
               0 loader flags-------------------------------------------------
              10 number of directories
               0 [       0] RVA [size] of Export Directory
            8C0C [     118] RVA [size] of Import Directory
            D000 [   19A10] RVA [size] of Resource Directory
               0 [       0] RVA [size] of Exception Directory
               0 [       0] RVA [size] of Certificates Directory
           27000 [     D20] RVA [size] of Base Relocation Directory
            9EF8 [      38] RVA [size] of Debug Directory
               0 [       0] RVA [size] of Architecture Directory
               0 [       0] RVA [size] of Global Pointer Directory
               0 [       0] RVA [size] of Thread Storage Directory
            5010 [      40] RVA [size] of Load Configuration Directory
             278 [     10C] RVA [size] of Bound Import Directory
            1000 [     388] RVA [size] of Import Address Table Directory
               0 [       0] RVA [size] of Delay Import Directory
               0 [       0] RVA [size] of COM Descriptor Directory
               0 [       0] RVA [size] of Reserved Directory

SECTION HEADER #2
   .data name
    2124 virtual size
    A000 virtual address (0100A000 to 0100C123)
    1000 size of raw data
    9400 file pointer to raw data (00009400 to 0000A3FF)
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
C0000040 flags
         Initialized Data
         Read Write

RAW DATA #2
0100A000: 00 00 00 00 78 00 00 00 01 00 00 00 FF FF FF FF ....x.......ÿÿÿÿ
0100A010: 4E E6 40 BB B1 19 BF 44 00 00 00 00 00 00 00 00 Næ@»±.¿D........
0100A020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A0A0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A0B0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A0C0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A0D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A0E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A0F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A1A0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A1B0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A1C0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A1D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A1E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A1F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A220: 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 ................
0100A230: 02 00 00 00 03 00 00 00 04 00 00 00 05 00 00 00 ................
0100A240: 06 00 00 00 07 00 00 00 08 00 00 00 09 00 00 00 ................
0100A250: 0A 00 00 00 0B 00 00 00 0C 00 00 00 0D 00 00 00 ................
0100A260: 0E 00 00 00 2F 00 00 00 0F 00 00 00 10 00 00 00 ..../...........
0100A270: 11 00 00 00 12 00 00 00 13 00 00 00 2D 00 00 00 ............-...
0100A280: 14 00 00 00 15 00 00 00 16 00 00 00 17 00 00 00 ................
0100A290: 18 00 00 00 19 00 00 00 1A 00 00 00 1B 00 00 00 ................
0100A2A0: 1C 00 00 00 1D 00 00 00 1E 00 00 00 1F 00 00 00 ................
0100A2B0: 20 00 00 00 21 00 00 00 22 00 00 00 23 00 00 00 ...!..."...#...
0100A2C0: 24 00 00 00 25 00 00 00 26 00 00 00 27 00 00 00 $...%...&...'...
0100A2D0: 28 00 00 00 29 00 00 00 2A 00 00 00 2B 00 00 00 (...)...*...+...
0100A2E0: 2C 00 00 00 2E 00 00 00 CC 2F 00 01 00 00 00 00 ,.......Ì/......
0100A2F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A310: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A320: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A330: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A340: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A350: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A360: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A370: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A390: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A3A0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A3B0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A3C0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A3D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A3E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A3F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A410: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A420: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A430: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A440: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A450: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A460: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A470: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A490: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A4A0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A4B0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A4C0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A4D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A4E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A4F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A510: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A520: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A540: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A560: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A570: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A590: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A5A0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A5B0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A5C0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A5D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A5E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A5F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A610: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A620: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A630: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A640: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A650: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A660: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A670: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A690: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A6A0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A6B0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A6C0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A6D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A6E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A6F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A710: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A720: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A730: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A740: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A750: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A770: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A7A0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A7B0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A7C0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A7D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A7E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A7F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A800: 2C A2 00 01 30 A2 00 01 34 A2 00 01 38 A2 00 01 ,¢..0¢..4¢..8¢..
0100A810: 44 A2 00 01 40 A2 00 01 3C A2 00 01 48 A2 00 01 D¢..@¢..<¢..H¢..
0100A820: 4C A2 00 01 50 A2 00 01 54 A2 00 01 58 A2 00 01 L¢..P¢..T¢..X¢..
0100A830: 5C A2 00 01 60 A2 00 01 68 A2 00 01 6C A2 00 01 \¢..`¢..h¢..l¢..
0100A840: 70 A2 00 01 80 A2 00 01 84 A2 00 01 88 A2 00 01 p¢...¢...¢...¢..
0100A850: 8C A2 00 01 90 A2 00 01 94 A2 00 01 98 A2 00 01 .¢...¢...¢...¢..
0100A860: 9C A2 00 01 A4 A2 00 01 A0 A2 00 01 A8 A2 00 01 .¢..¤¢.. ¢..¨¢..
0100A870: AC A2 00 01 B0 A2 00 01 B4 A2 00 01 B8 A2 00 01 ¬¢..°¢..´¢..¸¢..
0100A880: BC A2 00 01 C0 A2 00 01 74 A2 00 01 78 A2 00 01 ¼¢..À¢..t¢..x¢..
0100A890: C4 A2 00 01 C8 A2 00 01 CC A2 00 01 D0 A2 00 01 Ä¢..È¢..Ì¢..Ð¢..
0100A8A0: D4 A2 00 01 D8 A2 00 01 DC A2 00 01 E0 A2 00 01 Ô¢..Ø¢..Ü¢..à¢..
0100A8B0: 7C A2 00 01 E4 A2 00 01 64 A2 00 01 00 00 00 00 |¢..ä¢..d¢......
0100A8C0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A8D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A8E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A8F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A910: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A920: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A930: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A950: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A960: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A990: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A9A0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A9B0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A9C0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A9D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A9E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A9F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AA00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AA10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AA20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AA30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AA40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AA50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AA60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AA70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AA80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AA90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AAA0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AAB0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AAC0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AAD0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AAE0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AAF0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AB00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AB10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AB20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AB30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AB40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AB50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AB60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AB70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AB80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AB90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100ABA0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100ABB0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100ABC0: 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 ................
0100ABD0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100ABE0: 00 00 00 00 00 00 00 00 2D 51 00 01 61 50 00 01 ........-Q..aP..
0100ABF0: 7C 50 00 01 AA 50 00 01 13 51 00 01 B4 50 00 01 |P..ªP...Q..´P..
0100AC00: 71 53 00 01 20 51 00 01 B4 50 00 01 20 51 00 01 qS.. Q..´P.. Q..
0100AC10: BD 51 00 01 C1 50 00 01 DB 50 00 01 F5 50 00 01 ½Q..ÁP..ÛP..õP..
0100AC20: 13 51 00 01 20 51 00 01 13 51 00 01 00 00 00 00 .Q.. Q...Q......
0100AC30: FF FF 00 00 44 A2 00 01 02 00 00 00 50 A2 00 01 ÿÿ..D¢......P¢..
0100AC40: 0A 00 00 00 54 A2 00 01 05 00 00 00 44 A2 00 01 ....T¢......D¢..
0100AC50: 06 00 00 00 44 A2 00 01 04 10 00 00 94 A2 00 01 ....D¢.......¢..
0100AC60: 05 10 00 00 44 A2 00 01 08 10 00 00 E8 A2 00 01 ....D¢......è¢..
0100AC70: EF BB BF 00 FF FE 00 00 FE FF 00 00 00 00 00 00 ï»¿.ÿþ..þÿ......
0100AC80: 59 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Y...............
0100AC90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100ACA0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100ACB0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100ACC0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100ACD0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100ACE0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100ACF0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AD00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AD10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AD20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AD30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AD40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AD50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AD60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AD70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AD80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AD90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100ADA0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100ADB0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100ADC0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100ADD0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100ADE0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100ADF0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AE00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AE10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AE20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AE30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AE40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AE50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AE60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AE70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AE80: 00 00 00 00 00 00 00 00 59 00 00 00 00 00 00 00 ........Y.......
0100AE90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AEA0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AEB0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AEC0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AED0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AEE0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AEF0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AF00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AF10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AF20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AF30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AF40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AF50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AF60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AF70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AF80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AF90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AFA0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AFB0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AFC0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AFD0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AFE0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AFF0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

Summary

3000 .data

C:\Users\ganand\Desktop\internals\TOOLS>link.exe -dump -dependents c:\windows\sy
stem32\notepad.exe
Microsoft (R) COFF/PE Dumper Version 7.10.2179
Copyright (C) Microsoft Corporation. All rights reserved.

Dump of file c:\windows\system32\notepad.exe

File Type: EXECUTABLE IMAGE

Image has the following dependencies:

    ADVAPI32.dll
    KERNEL32.dll
    GDI32.dll
    USER32.dll
    msvcrt.dll
    COMDLG32.dll
    SHELL32.dll
    WINSPOOL.DRV
    ole32.dll
    SHLWAPI.dll
    COMCTL32.dll
    OLEAUT32.dll
    ntdll.dll

====
C:\Users\ganand\Desktop\internals\TOOLS>link.exe -dump -exports c:\windows\syst
em32\ntdll.dll >c:\ntdll.txt

Dump of file c:\windows\system32\ntdll.dll

File Type: DLL

Section contains the following exports for ntdll.dll

    00000000 characteristics
    4549ACD4 time date stamp Thu Nov 02 14:01:16 2006
        0.00 version
           1 ordinal base
        1902 number of functions
        1902 number of names

ordinal hint RVA name

         10    0 000246E0 A_SHAFinal--this dumps out all the functions of ntdll.dll with their service numbers
         11    1 000245D8 A_SHAInit
         12    2 0002462E A_SHAUpdate
         13    3 0000A956 AlpcAdjustCompletionListConcurrencyCount
         14    4 0000B0C0 AlpcFreeCompletionListMessage
         15    5 00097D6D AlpcGetCompletionListLastMessageInformation
         16    6 00097D39 AlpcGetCompletionListMessageAttributes
         17    7 0006637A AlpcGetHeaderSize
         18    8 00066343 AlpcGetMessageAttribute
         19    9 0000AF0D AlpcGetMessageFromCompletionList
         20    A 00070C93 AlpcGetOutstandingCompletionListMessageCount
         21    B 00022DEB AlpcInitializeMessageAttribute
         22    C 00011135 AlpcMaxAllowedMessageLength
         23    D 0000AD39 AlpcRegisterCompletionList
         24    E 0000AE5A AlpcRegisterCompletionListWorkerThread
         25    F 00070CB2 AlpcUnregisterCompletionList
         26   10 0000AD95 AlpcUnregisterCompletionListWorkerThread
         27   11 0003DCE5 CsrAllocateCaptureBuffer
         28   12 0003DD78 CsrAllocateMessagePointer
         29   13 0003EF49 CsrCaptureMessageBuffer
         30   14 00038FFA CsrCaptureMessageMultiUnicodeStringsInPlace
         31   15 00038F9A CsrCaptureMessageString
         32   16 0008EC13 CsrCaptureTimeout
         33   17 00067F66 CsrClientCallServer
         34   18 00034C8C CsrClientConnectToServer
         35   19 0003DDBE CsrFreeCaptureBuffer
         36   1A 0008EC08 CsrGetProcessId
         37   1B 0008EBF3 CsrIdentifyAlertableThread
         38   1C 0008EBF3 CsrNewThread
         39   1D 0008EBFB CsrSetPriorityClass
         40   1E 0008EC46 CsrVerifyRegion
         41   1F 00042EA8 DbgBreakPoint
         42   20 0001544A DbgPrint
         43   21 000214D5 DbgPrintEx
         44   22 00097ED7 DbgPrintReturnControlC
         45   23 00097E12 DbgPrompt
         46   24 00097E58 DbgQueryDebugFilterState
         47   25 00097E68 DbgSetDebugFilterState
         48   26 0008EF7E DbgUiConnectToDbg
         49   27 0008F026 DbgUiContinue
         50   28 0008F158 DbgUiConvertStateChangeStructure
         51   29 0008F116 DbgUiDebugActiveProcess
         52   2A 0008EFD0 DbgUiGetThreadDebugObject
         53   2B 0008F0D0 DbgUiIssueRemoteBreakin
         54   2C 0008F06D DbgUiRemoteBreakin
         55   2D 0008EFE2 DbgUiSetThreadDebugObject

---long list..................................................................

Posted Sunday, December 23, 2007 1:57 PM by ganand | 1 Comments

What changed on Disk when I Enabled Bitlocker and configured bitlocker protected data partitions

I was curious to see what changes Bitlocker make on my raw disk, So i picked my dskprobe and had a quick look and I will like to share a few changes i saw. There is lot more which gets changed but not covered below.

On the OS partition i.e. on my C drive, I used dskprobe and opened its NTFS boot sector and i see the OEM ID string saying FVE_FS instead of NTFS. I also saw that "clusters to MFT mirror" is not actually pointing to clusters to MFT mirror but to....see below

I figured out that this is the start of FVE metadata as visible and also GAUEPSSSET01 is the name of my computer and the the value of "clusters to MFT mirror" is stored in the FVE metadata itself. so FVE_FS is one way to find out backup copies of FVE metadata and better way is to use bitlocker repair tool if ever required.

For more information about bitlocker repair tool please have a look at article given below.

928201 How to use the BitLocker Repair Tool to help recover data from an encrypted volume in Windows Vista
http://support.microsoft.com/default.aspx?scid=kb;EN-US;928201

Now i wanted to see what happens in case of data partitions protected by bitlocker of course on a vista sp1 machine.

yes with windows vista sp1 (still in beta) you should be able to protect your data partitions as you may see below

I once again used dskprobe and opened the NTFS boot sector of one of the data partitions.

There is lot more which gets changed but not covered here.

For more information about dskprobe (part of support tools) see below:

http://technet2.microsoft.com/windowsserver/en/library/006902f1-bae9-4055-9ad2-123ea19006b71033.mspx?mfr=true

Gaurav Anand

This posting is provided "AS IS" with no warranties, and confers no rights.

Posted Tuesday, October 23, 2007 5:09 PM by ganand | 0 Comments

Configuring bitlocker

I thought of giving everyone feel of how easy it is to configure bitlocker on your machine. I picked a test Lenovo T60p machine and opened bitlocker drive encryption applet from control panel. You will get option to turn on bitlocker but before you do that you first need to prepare your machine for bitlocker i.e. it should have a separate system partition which has to be NTFS and at least 1.5GB. For this you will get bitlocker drive preparation tool by calling Microsoft PSS. You may also do it manually but it is easier from the tool.

Once you get this tool and extract it on desktop and run it you will see what is shown in pic 1. It will shrink your C drive if there is no unallocated space on hard drive and then create a new active system partition and prepare it for bitlocker.

pic 1

Once that is done… open bitlocker drive encryption applet from control panel and if you turn on bitlocker then you will see option as shown in pic2. You can also see that it says machine does not have TPM. Actually till now I have not turned on TPM from bios.

pic 2

So I went to TPM.msc and I see what is shown in pic3 …it does not detect my TPM as expected.

pic 3

I went to bios and turned on my TPM device…once I booted back to OS and opened TPM.msc, it asks me to initialize my TPM. You can see that in pic 4

pic 4

I tried to initialize and got error message as shown in pic 5..reason I am not on network and unable to communicate with AD. This group policy is enabled by default as I mentioned last time that it tries to backup TPM owner password information.

pic 5

I connected to network and was able to initialize. Now as you see in pic 6 it says TPM is on and ownership has been taken...it will allow you to backup TPM password too. It also gives you the option to reset the TPM in GUI interface as shown.

pic 6

Now I went back to bitlocker drive encryption control panel applet and turned it on…and it started encrypting my C drive. You may turn off your machine and it will resume conversion process as soon as you start next time. You may pause conversion too. Generally the conversion rate is 1GB/min but it varies depending on various factors including the hardware. Pic 7 shows same.

pic 7

On the same window if you click on “manage bitlocker keys” you will get an option to reset the pin (if you have configured) and also to duplicate your recovery password I.e. save password as shown in pic 8

You can save it on a non bitlocker encrypted partition or USB or print it.

pic 8

Gaurav Anand

------------------------------

This posting is provided "AS IS" with no warranties, and confers no rights.

Posted Tuesday, October 16, 2007 4:10 PM by ganand | 2 Comments

Digging in

Unable to move my cluster group from node A to Node B and cluster.log analysis

How to stop Chkdsk from running

Start up for some one who is not familiar with Read only domain controller RODC

You will not get the option to reset Pin in bitlocker when using TPM+PIN+StartupKey protectors in vista sp1

What is this Raw File System

NTFS Time Stamps --file created in 1601, modified in 1801 and accessed in 2008!!

What happens and parameters passed when a new process is created

Few public links giving an insight on Windows Internal Architecture.

Internal structures of the Windows Registry

Windows Vista Address Space Load Randomization - The way vista loads DLL's

How to isolate a service in its own scvhost.exe

How do transition from user mode to kernel mode takes place

Dumping out notepad.exe and ntdll.dll

What changed on Disk when I Enabled Bitlocker and configured bitlocker protected data partitions

Configuring bitlocker

This Blog

Syndication

Recent Posts

Tags

Archives